From 7232d2b6d5f23797db52cbf3f57f7bb822f09fec Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 19 Jan 2025 10:32:07 +0200 Subject: [PATCH 01/10] Pin boto3 and botocore to an old version when installing synapse-s3-storage-provider to prevent issues with non-AWS S3 providers Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/3964 Related to https://github.com/aws/aws-cli/issues/9214 --- roles/custom/matrix-synapse/defaults/main.yml | 4 ++++ .../templates/synapse/customizations/Dockerfile.j2 | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index cc1a6730d..b45381c56 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -48,6 +48,10 @@ matrix_synapse_container_image_customizations_enabled: |- # The version that will be installed is specified in `matrix_synapse_ext_synapse_s3_storage_provider_version`. matrix_synapse_container_image_customizations_s3_storage_provider_installation_enabled: "{{ matrix_synapse_ext_synapse_s3_storage_provider_enabled }}" +# Controls whether to install an old version of boto3 and botocore, to work around the following issue: +# https://github.com/aws/aws-cli/issues/9214 +matrix_synapse_container_image_customizations_s3_storage_provider_installation_old_boto_workaround_enabled: true + # Controls whether custom build steps will be added to the Dockerfile for installing auto-accept-invite module. # The version that will be installed is specified in `matrix_synapse_ext_synapse_auto_accept_invite_version`. matrix_synapse_container_image_customizations_auto_accept_invite_installation_enabled: "{{ matrix_synapse_ext_synapse_auto_accept_invite_enabled }}" diff --git a/roles/custom/matrix-synapse/templates/synapse/customizations/Dockerfile.j2 b/roles/custom/matrix-synapse/templates/synapse/customizations/Dockerfile.j2 index 39367fe09..d01268a4a 100644 --- a/roles/custom/matrix-synapse/templates/synapse/customizations/Dockerfile.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/customizations/Dockerfile.j2 @@ -6,8 +6,12 @@ RUN pip install synapse-auto-accept-invite=={{ matrix_synapse_ext_synapse_auto_a {% endif %} {% if matrix_synapse_container_image_customizations_s3_storage_provider_installation_enabled %} +{% if matrix_synapse_container_image_customizations_s3_storage_provider_installation_old_boto_workaround_enabled %} +RUN pip install 'boto3<1.36.0' 'botocore<1.36.0' synapse-s3-storage-provider=={{ matrix_synapse_ext_synapse_s3_storage_provider_version }} +{% else %} RUN pip install synapse-s3-storage-provider=={{ matrix_synapse_ext_synapse_s3_storage_provider_version }} {% endif %} +{% endif %} {% if matrix_synapse_container_image_customizations_templates_enabled %} {# From b56f1669cf404c18d38279a83ce5e9bcf1ca2d5d Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sun, 19 Jan 2025 08:33:12 +0000 Subject: [PATCH 02/10] Update dependency sphinx-markdown-builder to v0.6.8 --- i18n/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/i18n/requirements.txt b/i18n/requirements.txt index 74c9c078e..b48a508f1 100644 --- a/i18n/requirements.txt +++ b/i18n/requirements.txt @@ -21,7 +21,7 @@ setuptools==75.8.0 snowballstemmer==2.2.0 Sphinx==8.1.3 sphinx-intl==2.3.1 -sphinx-markdown-builder==0.6.7 +sphinx-markdown-builder==0.6.8 sphinxcontrib-applehelp==2.0.0 sphinxcontrib-devhelp==2.0.0 sphinxcontrib-htmlhelp==2.1.0 From 96b3cb839263043c58b2e01d78b34ef517183f42 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 19 Jan 2025 15:22:59 +0200 Subject: [PATCH 03/10] Do not auto-add lightning bolt suffix to displayname for newly registered Conduit users This makes it consistent with other homeserver implementations, which do not mess with the displayname by adding suffixes. --- roles/custom/matrix-conduit/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-conduit/defaults/main.yml b/roles/custom/matrix-conduit/defaults/main.yml index e38741f81..247c95751 100644 --- a/roles/custom/matrix-conduit/defaults/main.yml +++ b/roles/custom/matrix-conduit/defaults/main.yml @@ -131,7 +131,7 @@ matrix_conduit_allow_registration: false matrix_conduit_allow_federation: true # Enable the display name lightning bolt on registration. -matrix_conduit_enable_lightning_bolt: true +matrix_conduit_enable_lightning_bolt: false matrix_conduit_trusted_servers: - "matrix.org" From be586f0f30aac7f901b200cb6656ae98580a0c44 Mon Sep 17 00:00:00 2001 From: Virkkunen Date: Sun, 19 Jan 2025 13:19:08 +0100 Subject: [PATCH 04/10] initial conduwuit support --- group_vars/matrix_servers | 66 +++++++- roles/custom/matrix-base/defaults/main.yml | 2 +- .../matrix-base/tasks/validate_config.yml | 2 +- .../custom/matrix-conduwuit/defaults/main.yml | 147 ++++++++++++++++++ roles/custom/matrix-conduwuit/tasks/main.yml | 20 +++ .../matrix-conduwuit/tasks/setup_install.yml | 59 +++++++ .../tasks/setup_uninstall.yml | 19 +++ .../tasks/validate_config.yml | 11 ++ .../templates/conduwuit.toml.j2 | 67 ++++++++ .../matrix-conduwuit/templates/labels.j2 | 134 ++++++++++++++++ .../systemd/matrix-conduwuit.service.j2 | 51 ++++++ roles/custom/matrix-conduwuit/vars/main.yml | 3 + .../util/ensure_user_registered_conduwuit.yml | 5 + .../tasks/validate_config.yml | 8 + setup.yml | 1 + 15 files changed, 592 insertions(+), 3 deletions(-) create mode 100644 roles/custom/matrix-conduwuit/defaults/main.yml create mode 100644 roles/custom/matrix-conduwuit/tasks/main.yml create mode 100644 roles/custom/matrix-conduwuit/tasks/setup_install.yml create mode 100644 roles/custom/matrix-conduwuit/tasks/setup_uninstall.yml create mode 100644 roles/custom/matrix-conduwuit/tasks/validate_config.yml create mode 100644 roles/custom/matrix-conduwuit/templates/conduwuit.toml.j2 create mode 100644 roles/custom/matrix-conduwuit/templates/labels.j2 create mode 100644 roles/custom/matrix-conduwuit/templates/systemd/matrix-conduwuit.service.j2 create mode 100644 roles/custom/matrix-conduwuit/vars/main.yml create mode 100644 roles/custom/matrix-user-creator/tasks/util/ensure_user_registered_conduwuit.yml diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 6da20c467..3a0c9b963 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -232,7 +232,7 @@ matrix_addons_homeserver_client_api_url: "{{ ('http://' + matrix_playbook_revers matrix_addons_homeserver_systemd_services_list: "{{ ([traefik_identifier + '.service'] if matrix_playbook_reverse_proxy_type == 'playbook-managed-traefik' else []) if matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled else matrix_homeserver_systemd_services_list }}" # Starting from version `0.6.0` Conduit natively supports some sync v3 (sliding-sync) features. -matrix_homeserver_sliding_sync_url: "{{ matrix_sliding_sync_base_url if matrix_sliding_sync_enabled else (matrix_homeserver_url if matrix_homeserver_implementation in ['conduit'] else '') }}" +matrix_homeserver_sliding_sync_url: "{{ matrix_sliding_sync_base_url if matrix_sliding_sync_enabled else (matrix_homeserver_url if matrix_homeserver_implementation in ['conduit', 'conduwuit'] else '') }}" ######################################################################## # # @@ -553,6 +553,7 @@ matrix_homeserver_container_client_api_endpoint: |- 'synapse': ('matrix-synapse-reverse-proxy-companion:8008' if matrix_synapse_reverse_proxy_companion_enabled | default(false) else ('matrix-synapse:'+ matrix_synapse_container_client_api_port | default('8008') | string)), 'dendrite': ('matrix-dendrite:' + matrix_dendrite_http_bind_port | default('8008') | string), 'conduit': ('matrix-conduit:' + matrix_conduit_port_number | default('8008') | string), + 'conduwuit': ('matrix-conduwuit:' + matrix_conduwuit_port_number | default('8008') | string), }[matrix_homeserver_implementation] }} @@ -562,6 +563,7 @@ matrix_homeserver_container_federation_api_endpoint: |- 'synapse': ('matrix-synapse-reverse-proxy-companion:8048' if matrix_synapse_reverse_proxy_companion_enabled else ('matrix-synapse:'+ matrix_synapse_container_federation_api_plain_port | default('8008') | string)), 'dendrite': ('matrix-dendrite:' + matrix_dendrite_http_bind_port | default('8008') | string), 'conduit': ('matrix-conduit:' + matrix_conduit_port_number | default('8008') | string), + 'conduwuit': ('matrix-conduwuit:' + matrix_conduwuit_port_number | default('8008') | string), }[matrix_homeserver_implementation] }} @@ -5503,6 +5505,7 @@ grafana_default_home_dashboard_path: |- 'synapse': ('/etc/grafana/dashboards/synapse.json' if matrix_synapse_metrics_enabled and matrix_synapse_metrics_enabled else ('/etc/grafana/dashboards/node-exporter-full.json' if prometheus_node_exporter_enabled else '')), 'dendrite': ('/etc/grafana/dashboards/node-exporter-full.json' if prometheus_node_exporter_enabled else ''), 'conduit': ('/etc/grafana/dashboards/node-exporter-full.json' if prometheus_node_exporter_enabled else ''), + 'conduwuit': ('/etc/grafana/dashboards/node-exporter-full.json' if prometheus_node_exporter_enabled else ''), }[matrix_homeserver_implementation] }} @@ -5560,6 +5563,7 @@ matrix_registration_shared_secret: |- 'synapse': matrix_synapse_registration_shared_secret | default (''), 'dendrite': matrix_dendrite_client_api_registration_shared_secret | default (''), 'conduit': '', + 'conduwuit': '', }[matrix_homeserver_implementation] }} @@ -5804,6 +5808,66 @@ matrix_conduit_turn_password: "{{ matrix_coturn_lt_cred_mech_password if (matrix ###################################################################### +###################################################################### +# +# matrix-conduwuit +# +###################################################################### + +matrix_conduwuit_enabled: "{{ matrix_homeserver_implementation == 'conduwuit' }}" + +matrix_conduwuit_hostname: "{{ matrix_server_fqn_matrix }}" + +matrix_conduwuit_allow_federation: "{{ matrix_homeserver_federation_enabled }}" + +matrix_conduwuit_container_network: "{{ matrix_homeserver_container_network }}" + +matrix_conduwuit_container_additional_networks_auto: | + {{ + ( + ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_conduwuit_container_labels_traefik_enabled and matrix_playbook_reverse_proxyable_services_additional_network else []) + ) | unique + }} + +matrix_conduwuit_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and not matrix_synapse_workers_enabled }}" +matrix_conduwuit_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +matrix_conduwuit_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}" +matrix_conduwuit_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}" + +matrix_conduwuit_container_labels_public_client_root_redirection_enabled: "{{ matrix_conduwuit_container_labels_public_client_root_redirection_url != '' }}" +matrix_conduwuit_container_labels_public_client_root_redirection_url: "{{ (('https://' if matrix_playbook_ssl_enabled else 'http://') + matrix_server_fqn_element) if matrix_client_element_enabled else '' }}" + +matrix_conduwuit_container_labels_public_federation_api_traefik_hostname: "{{ matrix_server_fqn_matrix_federation }}" +matrix_conduwuit_container_labels_public_federation_api_traefik_entrypoints: "{{ matrix_federation_traefik_entrypoint_name }}" +matrix_conduwuit_container_labels_public_federation_api_traefik_tls: "{{ matrix_federation_traefik_entrypoint_tls }}" + +matrix_conduwuit_container_labels_internal_client_api_enabled: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled }}" +matrix_conduwuit_container_labels_internal_client_api_traefik_entrypoints: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_name }}" + +matrix_conduwuit_turn_uris: | + {{ + ([ + 'turns:' + matrix_server_fqn_matrix + '?transport=udp', + 'turns:' + matrix_server_fqn_matrix + '?transport=tcp', + ] if matrix_coturn_enabled and matrix_coturn_tls_enabled else []) + + + ([ + 'turn:' + matrix_server_fqn_matrix + '?transport=udp', + 'turn:' + matrix_server_fqn_matrix + '?transport=tcp', + ] if matrix_coturn_enabled else []) + }} + +matrix_conduwuit_turn_secret: "{{ matrix_coturn_turn_static_auth_secret if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'auth-secret') else '' }}" +matrix_conduwuit_turn_username: "{{ matrix_coturn_lt_cred_mech_username if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'lt-cred-mech') else '' }}" +matrix_conduwuit_turn_password: "{{ matrix_coturn_lt_cred_mech_password if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'lt-cred-mech') else '' }}" + +###################################################################### +# +# /matrix-conduwuit +# +###################################################################### + + ###################################################################### # # matrix-user-creator diff --git a/roles/custom/matrix-base/defaults/main.yml b/roles/custom/matrix-base/defaults/main.yml index a0dd2f04d..e70328a40 100644 --- a/roles/custom/matrix-base/defaults/main.yml +++ b/roles/custom/matrix-base/defaults/main.yml @@ -49,7 +49,7 @@ matrix_monitoring_container_network: matrix-monitoring matrix_homeserver_enabled: true # This will contain the homeserver implementation that is in use. -# Valid values: synapse, dendrite, conduit +# Valid values: synapse, dendrite, conduit, conduwuit # # By default, we use Synapse, because it's the only full-featured Matrix server at the moment. # diff --git a/roles/custom/matrix-base/tasks/validate_config.yml b/roles/custom/matrix-base/tasks/validate_config.yml index fd389cd1c..41320a5fb 100644 --- a/roles/custom/matrix-base/tasks/validate_config.yml +++ b/roles/custom/matrix-base/tasks/validate_config.yml @@ -3,7 +3,7 @@ - name: Fail if invalid homeserver implementation ansible.builtin.fail: msg: "You need to set a valid homeserver implementation in `matrix_homeserver_implementation`" - when: "matrix_homeserver_implementation not in ['synapse', 'dendrite', 'conduit']" + when: "matrix_homeserver_implementation not in ['synapse', 'dendrite', 'conduit', 'conduwuit']" - name: (Deprecation) Catch and report renamed settings ansible.builtin.fail: diff --git a/roles/custom/matrix-conduwuit/defaults/main.yml b/roles/custom/matrix-conduwuit/defaults/main.yml new file mode 100644 index 000000000..d6cb553d2 --- /dev/null +++ b/roles/custom/matrix-conduwuit/defaults/main.yml @@ -0,0 +1,147 @@ +--- +# Conduwuit is a fork of Conduit, powered by Matrix +# Project source code URL: https://github.com/girlbossceo/conduwuit +# See: https://conduwuit.puppyirl.gay/ + +matrix_conduwuit_enabled: true + +matrix_conduwuit_hostname: '' + +matrix_conduwuit_docker_image: "{{ matrix_conduwuit_docker_image_name_prefix }}girlbossceo/conduwuit:{{ matrix_conduwuit_docker_image_tag }}" +matrix_conduwuit_docker_image_name_prefix: "docker.io/" +# renovate: datasource=docker depName=matrixconduwuit/matrix-conduwuit +matrix_conduwuit_docker_image_tag: "main" +matrix_conduwuit_docker_image_force_pull: "{{ matrix_conduwuit_docker_image.endswith(':latest') }}" + +matrix_conduwuit_base_path: "{{ matrix_base_data_path }}/conduwuit" +matrix_conduwuit_config_path: "{{ matrix_conduwuit_base_path }}/config" +matrix_conduwuit_data_path: "{{ matrix_conduwuit_base_path }}/data" + +matrix_conduwuit_port_number: 6167 + +matrix_conduwuit_tmp_directory_size_mb: 500 + +# List of systemd services that matrix-conduwuit.service depends on +matrix_conduwuit_systemd_required_services_list: "{{ matrix_conduwuit_systemd_required_services_list_default + matrix_conduwuit_systemd_required_services_list_auto + matrix_conduwuit_systemd_required_services_list_custom }}" +matrix_conduwuit_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}" +matrix_conduwuit_systemd_required_services_list_auto: [] +matrix_conduwuit_systemd_required_services_list_custom: [] + +# List of systemd services that matrix-conduwuit.service wants +matrix_conduwuit_systemd_wanted_services_list: [] + +# Controls how long to sleep for after starting the matrix-synapse container. +# +# Delaying, so that the homeserver can manage to fully start and various services +# that depend on it (`matrix_conduwuit_systemd_required_services_list` and `matrix_conduwuit_systemd_wanted_services_list`) +# may only start after the homeserver is up and running. +# +# This can be set to 0 to remove the delay. +matrix_conduwuit_systemd_service_post_start_delay_seconds: 3 + +# The base container network. It will be auto-created by this role if it doesn't exist already. +matrix_conduwuit_container_network: "" + +# A list of additional container networks that the container would be connected to. +# The role does not create these networks, so make sure they already exist. +# Use this to expose this container to another reverse proxy, which runs in a different container network. +matrix_conduwuit_container_additional_networks: "{{ matrix_conduwuit_container_additional_networks_auto + matrix_conduwuit_container_additional_networks_custom }}" +matrix_conduwuit_container_additional_networks_auto: [] +matrix_conduwuit_container_additional_networks_custom: [] + +# matrix_conduwuit_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. +# See `../templates/labels.j2` for details. +# +# To inject your own other container labels, see `matrix_conduwuit_container_labels_additional_labels`. +matrix_conduwuit_container_labels_traefik_enabled: true +matrix_conduwuit_container_labels_traefik_docker_network: "{{ matrix_conduwuit_container_network }}" +matrix_conduwuit_container_labels_traefik_entrypoints: web-secure +matrix_conduwuit_container_labels_traefik_tls_certResolver: default # noqa var-naming + +# Controls whether labels will be added for handling the root (/) path on a public Traefik entrypoint. +matrix_conduwuit_container_labels_public_client_root_enabled: true +matrix_conduwuit_container_labels_public_client_root_traefik_hostname: "{{ matrix_conduwuit_hostname }}" +matrix_conduwuit_container_labels_public_client_root_traefik_rule: "Host(`{{ matrix_conduwuit_container_labels_public_client_root_traefik_hostname }}`) && Path(`/`)" +matrix_conduwuit_container_labels_public_client_root_traefik_priority: 0 +matrix_conduwuit_container_labels_public_client_root_traefik_entrypoints: "{{ matrix_conduwuit_container_labels_traefik_entrypoints }}" +matrix_conduwuit_container_labels_public_client_root_traefik_tls: "{{ matrix_conduwuit_container_labels_public_client_root_traefik_entrypoints != 'web' }}" +matrix_conduwuit_container_labels_public_client_root_traefik_tls_certResolver: "{{ matrix_conduwuit_container_labels_traefik_tls_certResolver }}" # noqa var-naming +matrix_conduwuit_container_labels_public_client_root_redirection_enabled: false +matrix_conduwuit_container_labels_public_client_root_redirection_url: "" + +# Controls whether labels will be added that expose the Client-Server API on a public Traefik entrypoint. +matrix_conduwuit_container_labels_public_client_api_enabled: true +matrix_conduwuit_container_labels_public_client_api_traefik_hostname: "{{ matrix_conduwuit_hostname }}" +matrix_conduwuit_container_labels_public_client_api_traefik_path_prefix: /_matrix +matrix_conduwuit_container_labels_public_client_api_traefik_rule: "Host(`{{ matrix_conduwuit_container_labels_public_client_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_conduwuit_container_labels_public_client_api_traefik_path_prefix }}`)" +matrix_conduwuit_container_labels_public_client_api_traefik_priority: 0 +matrix_conduwuit_container_labels_public_client_api_traefik_entrypoints: "{{ matrix_conduwuit_container_labels_traefik_entrypoints }}" +matrix_conduwuit_container_labels_public_client_api_traefik_tls: "{{ matrix_conduwuit_container_labels_public_client_api_traefik_entrypoints != 'web' }}" +matrix_conduwuit_container_labels_public_client_api_traefik_tls_certResolver: "{{ matrix_conduwuit_container_labels_traefik_tls_certResolver }}" # noqa var-naming + +# Controls whether labels will be added that expose the Client-Server API on the internal Traefik entrypoint. +# This is similar to `matrix_conduwuit_container_labels_public_client_api_enabled`, but the entrypoint and intent is different. +matrix_conduwuit_container_labels_internal_client_api_enabled: false +matrix_conduwuit_container_labels_internal_client_api_traefik_path_prefix: "{{ matrix_conduwuit_container_labels_public_client_api_traefik_path_prefix }}" +matrix_conduwuit_container_labels_internal_client_api_traefik_rule: "PathPrefix(`{{ matrix_conduwuit_container_labels_internal_client_api_traefik_path_prefix }}`)" +matrix_conduwuit_container_labels_internal_client_api_traefik_priority: "{{ matrix_conduwuit_container_labels_public_client_api_traefik_priority }}" +matrix_conduwuit_container_labels_internal_client_api_traefik_entrypoints: "" + +# Controls whether labels will be added that expose the Server-Server API (Federation API) on a public Traefik entrypoint. +matrix_conduwuit_container_labels_public_federation_api_enabled: "{{ matrix_conduwuit_allow_federation }}" +matrix_conduwuit_container_labels_public_federation_api_traefik_hostname: "{{ matrix_conduwuit_hostname }}" +matrix_conduwuit_container_labels_public_federation_api_traefik_path_prefix: /_matrix +matrix_conduwuit_container_labels_public_federation_api_traefik_rule: "Host(`{{ matrix_conduwuit_container_labels_public_federation_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_conduwuit_container_labels_public_federation_api_traefik_path_prefix }}`)" +matrix_conduwuit_container_labels_public_federation_api_traefik_priority: 0 +matrix_conduwuit_container_labels_public_federation_api_traefik_entrypoints: '' +# TLS is force-enabled here, because the spec (https://spec.matrix.org/v1.9/server-server-api/#tls) says that the federation API must use HTTPS. +matrix_conduwuit_container_labels_public_federation_api_traefik_tls: true +matrix_conduwuit_container_labels_public_federation_api_traefik_tls_certResolver: "{{ matrix_conduwuit_container_labels_traefik_tls_certResolver }}" # noqa var-naming + +# matrix_conduwuit_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. +# See `../templates/labels.j2` for details. +# +# Example: +# matrix_conduwuit_container_labels_additional_labels: | +# my.label=1 +# another.label="here" +matrix_conduwuit_container_labels_additional_labels: '' + +# Extra arguments for the Docker container +matrix_conduwuit_container_extra_arguments: [] + +# Specifies which template files to use when configuring conduwuit. +# If you'd like to have your own different configuration, feel free to copy and paste +# the original files into your inventory (e.g. in `inventory/host_vars/matrix.example.com/`) +# and then change the specific host's `vars.yml` file like this: +# matrix_conduwuit_template_conduwuit_config: "{{ playbook_dir }}/inventory/host_vars/matrix.example.com/conduwuit.toml.j2" +matrix_conduwuit_template_conduwuit_config: "{{ role_path }}/templates/conduwuit.toml.j2" + +# Max size for uploads, in bytes +matrix_conduwuit_max_request_size: 20_000_000 + +# Maximum number of open files for conduwuit's embedded RocksDB database +# See https://github.com/facebook/rocksdb/wiki/RocksDB-Tuning-Guide#tuning-other-options +# By default, conduwuit uses a relatively low value of 20. +matrix_conduwuit_rocksdb_max_open_files: 64 + +# Enables registration. If set to false, no users can register on this server. +matrix_conduwuit_allow_registration: false + +matrix_conduwuit_allow_federation: true + +# Enable the display name lightning bolt on registration. +matrix_conduwuit_enable_lightning_bolt: true + +matrix_conduwuit_trusted_servers: + - "matrix.org" + +# How many requests conduwuit sends to other servers at the same time +matrix_conduwuit_max_concurrent_requests: 100 + +# TURN integration. +# See: https://gitlab.com/famedly/conduwuit/-/blob/next/TURN.md +matrix_conduwuit_turn_uris: [] +matrix_conduwuit_turn_secret: '' +matrix_conduwuit_turn_username: '' +matrix_conduwuit_turn_password: '' diff --git a/roles/custom/matrix-conduwuit/tasks/main.yml b/roles/custom/matrix-conduwuit/tasks/main.yml new file mode 100644 index 000000000..e6f16d120 --- /dev/null +++ b/roles/custom/matrix-conduwuit/tasks/main.yml @@ -0,0 +1,20 @@ +--- + +- tags: + - setup-all + - setup-conduwuit + - install-all + - install-conduwuit + block: + - when: matrix_conduwuit_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - when: matrix_conduwuit_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + +- tags: + - setup-all + - setup-conduwuit + block: + - when: not matrix_conduwuit_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-conduwuit/tasks/setup_install.yml b/roles/custom/matrix-conduwuit/tasks/setup_install.yml new file mode 100644 index 000000000..02b189986 --- /dev/null +++ b/roles/custom/matrix-conduwuit/tasks/setup_install.yml @@ -0,0 +1,59 @@ +--- + +- name: Ensure conduwuit config path exists + ansible.builtin.file: + path: "{{ matrix_conduwuit_config_path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure conduwuit data path exists + ansible.builtin.file: + path: "{{ matrix_conduwuit_data_path }}" + state: directory + mode: 0770 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure conduwuit configuration installed + ansible.builtin.template: + src: "{{ matrix_conduwuit_template_conduwuit_config }}" + dest: "{{ matrix_conduwuit_config_path }}/conduwuit.toml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure conduwuit support files installed + ansible.builtin.template: + src: "{{ role_path }}/templates/{{ item }}.j2" + dest: "{{ matrix_conduwuit_base_path }}/{{ item }}" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - labels + +- name: Ensure conduwuit container network is created + community.general.docker_network: + enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}" + name: "{{ matrix_conduwuit_container_network }}" + driver: bridge + driver_options: "{{ devture_systemd_docker_base_container_networks_driver_options }}" + +- name: Ensure conduwuit container image is pulled + community.docker.docker_image: + name: "{{ matrix_conduwuit_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_conduwuit_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_conduwuit_docker_image_force_pull }}" + register: result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: result is not failed + +- name: Ensure matrix-conduwuit.service installed + ansible.builtin.template: + src: "{{ role_path }}/templates/systemd/matrix-conduwuit.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-conduwuit.service" + mode: 0644 diff --git a/roles/custom/matrix-conduwuit/tasks/setup_uninstall.yml b/roles/custom/matrix-conduwuit/tasks/setup_uninstall.yml new file mode 100644 index 000000000..dcf802b0a --- /dev/null +++ b/roles/custom/matrix-conduwuit/tasks/setup_uninstall.yml @@ -0,0 +1,19 @@ +--- + +- name: Check existence of matrix-conduwuit service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-conduwuit.service" + register: matrix_conduwuit_service_stat + +- when: matrix_conduwuit_service_stat.stat.exists | bool + block: + - name: Ensure matrix-conduwuit is stopped + ansible.builtin.systemd: + name: matrix-conduwuit + state: stopped + daemon_reload: true + + - name: Ensure matrix-conduwuit.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-conduwuit.service" + state: absent diff --git a/roles/custom/matrix-conduwuit/tasks/validate_config.yml b/roles/custom/matrix-conduwuit/tasks/validate_config.yml new file mode 100644 index 000000000..26f3ab100 --- /dev/null +++ b/roles/custom/matrix-conduwuit/tasks/validate_config.yml @@ -0,0 +1,11 @@ +--- + +- name: Fail if required conduwuit settings not defined + ansible.builtin.fail: + msg: >- + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" + with_items: + - {'name': 'matrix_conduwuit_hostname', when: true} + - {'name': 'matrix_conduwuit_container_network', when: true} + - {'name': 'matrix_conduwuit_container_labels_internal_client_api_traefik_entrypoints', when: "{{ matrix_conduwuit_container_labels_internal_client_api_enabled }}"} diff --git a/roles/custom/matrix-conduwuit/templates/conduwuit.toml.j2 b/roles/custom/matrix-conduwuit/templates/conduwuit.toml.j2 new file mode 100644 index 000000000..9933c6573 --- /dev/null +++ b/roles/custom/matrix-conduwuit/templates/conduwuit.toml.j2 @@ -0,0 +1,67 @@ +# ============================================================================= +# This is the official example config for Conduwuit. +# If you use it for your server, you will need to adjust it to your own needs. +# At the very least, change the server_name field! +# ============================================================================= + + +[global] +# The server_name is the pretty name of this server. It is used as a suffix for user +# and room IDs. Examples: matrix.org, puppyirl.gay + +# The Conduwuit server needs all /_matrix/ requests to be reachable at +# https://example.com/ on port 443 (client-server) and 8448 (federation). + +# If that's not possible for you, you can create /.well-known files to redirect +# requests. See +# https://matrix.org/docs/spec/client_server/latest#get-well-known-matrix-client +# and +# https://matrix.org/docs/spec/server_server/r0.1.4#get-well-known-matrix-server +# for more information + +server_name = "{{ matrix_domain }}" + +# This is the only directory where Conduwuit will save its data +database_path = "/var/lib/matrix-conduwuit/" +database_backend = "rocksdb" + +# The port Conduwuit will be running on. You need to set up a reverse proxy in +# your web server (e.g. apache or nginx), so all requests to /_matrix on port +# 443 and 8448 will be forwarded to the Conduwuit instance running on this port +# Docker users: Don't change this, you'll need to map an external port to this. +port = {{ matrix_conduwuit_port_number }} + +# Max size for uploads +max_request_size = {{ matrix_conduwuit_max_request_size }} + +# Max number of open files for the RocksDB database +rocksdb_max_open_files = {{ matrix_conduwuit_rocksdb_max_open_files }} + +# Enables registration. If set to false, no users can register on this server. +allow_registration = {{ matrix_conduwuit_allow_registration | to_json }} + +allow_federation = {{ matrix_conduwuit_allow_federation | to_json }} + +# Enable the display name lightning bolt on registration. +enable_lightning_bolt = {{ matrix_conduwuit_enable_lightning_bolt | to_json }} + +trusted_servers = {{ matrix_conduwuit_trusted_servers | to_json }} + +max_concurrent_requests = {{ matrix_conduwuit_max_concurrent_requests }} + +log = "info,state_res=warn,rocket=off,_=off,sled=off" + +address = "0.0.0.0" + +turn_uris = {{ matrix_conduwuit_turn_uris | to_json }} + +{% if matrix_conduwuit_turn_secret != '' %} +turn_secret = {{ matrix_conduwuit_turn_secret | to_json }} +{% endif %} + +# If you have your TURN server configured to use a username and password +# you can provide these information too. In this case comment out `turn_secret above`! +{% if matrix_conduwuit_turn_username != '' or matrix_conduwuit_turn_password != '' %} +turn_username = {{ matrix_conduwuit_turn_username | to_json }} +turn_password = {{ matrix_conduwuit_turn_password | to_json }} +{% endif %} diff --git a/roles/custom/matrix-conduwuit/templates/labels.j2 b/roles/custom/matrix-conduwuit/templates/labels.j2 new file mode 100644 index 000000000..13ab1487c --- /dev/null +++ b/roles/custom/matrix-conduwuit/templates/labels.j2 @@ -0,0 +1,134 @@ +{% if matrix_conduwuit_container_labels_traefik_enabled %} +traefik.enable=true + +{% if matrix_conduwuit_container_labels_traefik_docker_network %} +traefik.docker.network={{ matrix_conduwuit_container_labels_traefik_docker_network }} +{% endif %} + +traefik.http.services.matrix-conduwuit.loadbalancer.server.port={{ matrix_conduwuit_port_number }} + + +{% if matrix_conduwuit_container_labels_public_client_root_enabled %} +############################################################ +# # +# Public Root path (/) # +# # +############################################################ + +{% set client_root_middlewares = [] %} + +{% if matrix_conduwuit_container_labels_public_client_root_redirection_enabled %} +{% set client_root_middlewares = client_root_middlewares + ['matrix-conduwuit-client-root-redirect'] %} +traefik.http.middlewares.matrix-conduwuit-client-root-redirect.redirectregex.regex=(.*) +traefik.http.middlewares.matrix-conduwuit-client-root-redirect.redirectregex.replacement={{ matrix_conduwuit_container_labels_public_client_root_redirection_url }} +{% endif %} + +traefik.http.routers.matrix-conduwuit-public-client-root.rule={{ matrix_conduwuit_container_labels_public_client_root_traefik_rule }} + +traefik.http.routers.matrix-conduwuit-public-client-root.middlewares={{ client_root_middlewares | join(',') }} + +{% if matrix_conduwuit_container_labels_public_client_root_traefik_priority | int > 0 %} +traefik.http.routers.matrix-conduwuit-public-client-root.priority={{ matrix_conduwuit_container_labels_public_client_root_traefik_priority }} +{% endif %} + +traefik.http.routers.matrix-conduwuit-public-client-root.service=matrix-conduwuit +traefik.http.routers.matrix-conduwuit-public-client-root.entrypoints={{ matrix_conduwuit_container_labels_public_client_root_traefik_entrypoints }} +traefik.http.routers.matrix-conduwuit-public-client-root.tls={{ matrix_conduwuit_container_labels_public_client_root_traefik_tls | to_json }} + +{% if matrix_conduwuit_container_labels_public_client_root_traefik_tls %} +traefik.http.routers.matrix-conduwuit-public-client-root.tls.certResolver={{ matrix_conduwuit_container_labels_public_client_root_traefik_tls_certResolver }} +{% endif %} + +############################################################ +# # +# /Public Root path (/) # +# # +############################################################ +{% endif %} + + +{% if matrix_conduwuit_container_labels_public_client_api_enabled %} +############################################################ +# # +# Public Client-API (/_matrix) # +# # +############################################################ + +traefik.http.routers.matrix-conduwuit-public-client-api.rule={{ matrix_conduwuit_container_labels_public_client_api_traefik_rule }} + +{% if matrix_conduwuit_container_labels_public_client_api_traefik_priority | int > 0 %} +traefik.http.routers.matrix-conduwuit-public-client-api.priority={{ matrix_conduwuit_container_labels_public_client_api_traefik_priority }} +{% endif %} + +traefik.http.routers.matrix-conduwuit-public-client-api.service=matrix-conduwuit +traefik.http.routers.matrix-conduwuit-public-client-api.entrypoints={{ matrix_conduwuit_container_labels_public_client_api_traefik_entrypoints }} + +traefik.http.routers.matrix-conduwuit-public-client-api.tls={{ matrix_conduwuit_container_labels_public_client_api_traefik_tls | to_json }} +{% if matrix_conduwuit_container_labels_public_client_api_traefik_tls %} +traefik.http.routers.matrix-conduwuit-public-client-api.tls.certResolver={{ matrix_conduwuit_container_labels_public_client_api_traefik_tls_certResolver }} +{% endif %} + +############################################################ +# # +# /Public Client-API (/_matrix) # +# # +############################################################ +{% endif %} + + +{% if matrix_conduwuit_container_labels_internal_client_api_enabled %} +############################################################ +# # +# Internal Client-API (/_matrix) # +# # +############################################################ + +traefik.http.routers.matrix-conduwuit-internal-client-api.rule={{ matrix_conduwuit_container_labels_internal_client_api_traefik_rule }} + +{% if matrix_conduwuit_container_labels_internal_client_api_traefik_priority | int > 0 %} +traefik.http.routers.matrix-conduwuit-internal-client-api.priority={{ matrix_conduwuit_container_labels_internal_client_api_traefik_priority }} +{% endif %} + +traefik.http.routers.matrix-conduwuit-internal-client-api.service=matrix-conduwuit +traefik.http.routers.matrix-conduwuit-internal-client-api.entrypoints={{ matrix_conduwuit_container_labels_internal_client_api_traefik_entrypoints }} + +############################################################ +# # +# /Internal Client-API (/_matrix) # +# # +############################################################ +{% endif %} + + +{% if matrix_conduwuit_container_labels_public_federation_api_enabled %} +############################################################ +# # +# Public Federation-API (/_matrix) # +# # +############################################################ + +traefik.http.routers.matrix-conduwuit-public-federation-api.rule={{ matrix_conduwuit_container_labels_public_federation_api_traefik_rule }} + +{% if matrix_conduwuit_container_labels_public_federation_api_traefik_priority | int > 0 %} +traefik.http.routers.matrix-conduwuit-public-federation-api.priority={{ matrix_conduwuit_container_labels_public_federation_api_traefik_priority }} +{% endif %} + +traefik.http.routers.matrix-conduwuit-public-federation-api.service=matrix-conduwuit +traefik.http.routers.matrix-conduwuit-public-federation-api.entrypoints={{ matrix_conduwuit_container_labels_public_federation_api_traefik_entrypoints }} + +traefik.http.routers.matrix-conduwuit-public-federation-api.tls={{ matrix_conduwuit_container_labels_public_federation_api_traefik_tls | to_json }} +{% if matrix_conduwuit_container_labels_public_federation_api_traefik_tls %} +traefik.http.routers.matrix-conduwuit-public-federation-api.tls.certResolver={{ matrix_conduwuit_container_labels_public_federation_api_traefik_tls_certResolver }} +{% endif %} + +############################################################ +# # +# /Public Federation-API (/_matrix) # +# # +############################################################ +{% endif %} + + +{% endif %} + +{{ matrix_conduwuit_container_labels_additional_labels }} diff --git a/roles/custom/matrix-conduwuit/templates/systemd/matrix-conduwuit.service.j2 b/roles/custom/matrix-conduwuit/templates/systemd/matrix-conduwuit.service.j2 new file mode 100644 index 000000000..54b5cc7a5 --- /dev/null +++ b/roles/custom/matrix-conduwuit/templates/systemd/matrix-conduwuit.service.j2 @@ -0,0 +1,51 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Conduwuit Matrix homeserver +{% for service in matrix_conduwuit_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} + +[Service] +Type=simple +Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-conduwuit 2>/dev/null || true' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-conduwuit 2>/dev/null || true' + +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-conduwuit \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_conduwuit_tmp_directory_size_mb }}m \ + --network={{ matrix_conduwuit_container_network }} \ + --env conduwuit_CONFIG=/etc/matrix-conduwuit/conduwuit.toml \ + --label-file={{ matrix_conduwuit_base_path }}/labels \ + --mount type=bind,src={{ matrix_conduwuit_data_path }},dst=/var/lib/matrix-conduwuit \ + --mount type=bind,src={{ matrix_conduwuit_config_path }},dst=/etc/matrix-conduwuit,ro \ + {% for arg in matrix_conduwuit_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_conduwuit_docker_image }} + +{% for network in matrix_conduwuit_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-conduwuit +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-conduwuit + +{% if matrix_conduwuit_systemd_service_post_start_delay_seconds != 0 %} +ExecStartPost=-{{ matrix_host_command_sleep }} {{ matrix_conduwuit_systemd_service_post_start_delay_seconds }} +{% endif %} + +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-conduwuit 2>/dev/null || true' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-conduwuit 2>/dev/null || true' +ExecReload={{ devture_systemd_docker_base_host_command_docker }} exec matrix-conduwuit /bin/sh -c 'kill -HUP 1' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-conduwuit + +[Install] +WantedBy=multi-user.target diff --git a/roles/custom/matrix-conduwuit/vars/main.yml b/roles/custom/matrix-conduwuit/vars/main.yml new file mode 100644 index 000000000..7d26a504b --- /dev/null +++ b/roles/custom/matrix-conduwuit/vars/main.yml @@ -0,0 +1,3 @@ +--- +matrix_conduwuit_client_api_url_endpoint_public: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}://{{ matrix_conduwuit_hostname }}/_matrix/client/versions" +matrix_conduwuit_federation_api_url_endpoint_public: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}://{{ matrix_conduwuit_hostname }}:{{ matrix_federation_public_port }}/_matrix/federation/v1/version" diff --git a/roles/custom/matrix-user-creator/tasks/util/ensure_user_registered_conduwuit.yml b/roles/custom/matrix-user-creator/tasks/util/ensure_user_registered_conduwuit.yml new file mode 100644 index 000000000..a44f982e4 --- /dev/null +++ b/roles/custom/matrix-user-creator/tasks/util/ensure_user_registered_conduwuit.yml @@ -0,0 +1,5 @@ +--- + +- name: Ensure Conduwuit user registered - {{ user.username | quote }} + ansible.builtin.debug: + msg: "Not registering user. To register Conduwuit users, message the Conduwuit bot" diff --git a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml index b3b792a78..6e9b63d54 100644 --- a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml +++ b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml @@ -302,6 +302,14 @@ - {'old': 'matrix_nginx_proxy_proxy_conduit_federation_api_addr_with_container', 'new': ''} - {'old': 'matrix_nginx_proxy_proxy_conduit_federation_api_addr_sans_container', 'new': ''} - {'old': 'matrix_nginx_proxy_proxy_conduit_additional_server_configuration_blocks', 'new': ''} + - {'old': 'matrix_nginx_proxy_proxy_conduwuit_enabled', 'new': 'matrix_conduwuit_container_labels_traefik_enabled'} + - {'old': 'matrix_nginx_proxy_proxy_conduwuit_block_federation_api_on_client_port', 'new': ''} + - {'old': 'matrix_nginx_proxy_proxy_conduwuit_federation_api_enabled', 'new': 'matrix_conduwuit_container_labels_public_federation_api_enabled'} + - {'old': 'matrix_nginx_proxy_proxy_conduwuit_client_api_addr_with_container', 'new': ''} + - {'old': 'matrix_nginx_proxy_proxy_conduwuit_client_api_addr_sans_container', 'new': ''} + - {'old': 'matrix_nginx_proxy_proxy_conduwuit_federation_api_addr_with_container', 'new': ''} + - {'old': 'matrix_nginx_proxy_proxy_conduwuit_federation_api_addr_sans_container', 'new': ''} + - {'old': 'matrix_nginx_proxy_proxy_conduwuit_additional_server_configuration_blocks', 'new': ''} - {'old': 'matrix_nginx_proxy_proxy_dendrite_enabled', 'new': 'matrix_dendrite_container_labels_traefik_enabled'} - {'old': 'matrix_nginx_proxy_proxy_dendrite_block_federation_api_on_client_port', 'new': ''} - {'old': 'matrix_nginx_proxy_proxy_dendrite_federation_api_enabled', 'new': 'matrix_dendrite_container_labels_public_federation_api_enabled'} diff --git a/setup.yml b/setup.yml index cb5fd7a1a..95e4b4a03 100644 --- a/setup.yml +++ b/setup.yml @@ -106,6 +106,7 @@ - custom/matrix-synapse-reverse-proxy-companion - custom/matrix-dendrite - custom/matrix-conduit + - custom/matrix-conduwuit - custom/matrix-synapse-admin - custom/matrix-synapse-usage-exporter - galaxy/prometheus_node_exporter From 5e03006c5debee323cb92c1271420bd48e98a1fb Mon Sep 17 00:00:00 2001 From: Virkkunen Date: Sun, 19 Jan 2025 13:56:10 +0100 Subject: [PATCH 05/10] remove unnecessary configurations --- roles/custom/matrix-conduwuit/defaults/main.yml | 9 ++------- .../matrix-conduwuit/templates/conduwuit.toml.j2 | 10 ++-------- 2 files changed, 4 insertions(+), 15 deletions(-) diff --git a/roles/custom/matrix-conduwuit/defaults/main.yml b/roles/custom/matrix-conduwuit/defaults/main.yml index d6cb553d2..14833051c 100644 --- a/roles/custom/matrix-conduwuit/defaults/main.yml +++ b/roles/custom/matrix-conduwuit/defaults/main.yml @@ -120,18 +120,13 @@ matrix_conduwuit_template_conduwuit_config: "{{ role_path }}/templates/conduwuit # Max size for uploads, in bytes matrix_conduwuit_max_request_size: 20_000_000 -# Maximum number of open files for conduwuit's embedded RocksDB database -# See https://github.com/facebook/rocksdb/wiki/RocksDB-Tuning-Guide#tuning-other-options -# By default, conduwuit uses a relatively low value of 20. -matrix_conduwuit_rocksdb_max_open_files: 64 - # Enables registration. If set to false, no users can register on this server. matrix_conduwuit_allow_registration: false matrix_conduwuit_allow_federation: true -# Enable the display name lightning bolt on registration. -matrix_conduwuit_enable_lightning_bolt: true +# The display name suffix on registration. Change to '' to disable. +matrix_conduwuit_new_user_displayname_suffix: '' matrix_conduwuit_trusted_servers: - "matrix.org" diff --git a/roles/custom/matrix-conduwuit/templates/conduwuit.toml.j2 b/roles/custom/matrix-conduwuit/templates/conduwuit.toml.j2 index 9933c6573..849010b3f 100644 --- a/roles/custom/matrix-conduwuit/templates/conduwuit.toml.j2 +++ b/roles/custom/matrix-conduwuit/templates/conduwuit.toml.j2 @@ -23,7 +23,6 @@ server_name = "{{ matrix_domain }}" # This is the only directory where Conduwuit will save its data database_path = "/var/lib/matrix-conduwuit/" -database_backend = "rocksdb" # The port Conduwuit will be running on. You need to set up a reverse proxy in # your web server (e.g. apache or nginx), so all requests to /_matrix on port @@ -34,21 +33,16 @@ port = {{ matrix_conduwuit_port_number }} # Max size for uploads max_request_size = {{ matrix_conduwuit_max_request_size }} -# Max number of open files for the RocksDB database -rocksdb_max_open_files = {{ matrix_conduwuit_rocksdb_max_open_files }} - # Enables registration. If set to false, no users can register on this server. allow_registration = {{ matrix_conduwuit_allow_registration | to_json }} allow_federation = {{ matrix_conduwuit_allow_federation | to_json }} -# Enable the display name lightning bolt on registration. -enable_lightning_bolt = {{ matrix_conduwuit_enable_lightning_bolt | to_json }} +# Enable the display name suffix on registration. +new_user_displayname_suffix = {{ matrix_conduwuit_new_user_displayname_suffix | to_json }} trusted_servers = {{ matrix_conduwuit_trusted_servers | to_json }} -max_concurrent_requests = {{ matrix_conduwuit_max_concurrent_requests }} - log = "info,state_res=warn,rocket=off,_=off,sled=off" address = "0.0.0.0" From 1b80a76b935fa46611237bce86595bb26fd52576 Mon Sep 17 00:00:00 2001 From: Virkkunen Date: Sun, 19 Jan 2025 13:58:53 +0100 Subject: [PATCH 06/10] fix docker depName --- roles/custom/matrix-conduwuit/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-conduwuit/defaults/main.yml b/roles/custom/matrix-conduwuit/defaults/main.yml index 14833051c..3f71c515e 100644 --- a/roles/custom/matrix-conduwuit/defaults/main.yml +++ b/roles/custom/matrix-conduwuit/defaults/main.yml @@ -9,7 +9,7 @@ matrix_conduwuit_hostname: '' matrix_conduwuit_docker_image: "{{ matrix_conduwuit_docker_image_name_prefix }}girlbossceo/conduwuit:{{ matrix_conduwuit_docker_image_tag }}" matrix_conduwuit_docker_image_name_prefix: "docker.io/" -# renovate: datasource=docker depName=matrixconduwuit/matrix-conduwuit +# renovate: datasource=docker depName=girlbossceo/conduwuit matrix_conduwuit_docker_image_tag: "main" matrix_conduwuit_docker_image_force_pull: "{{ matrix_conduwuit_docker_image.endswith(':latest') }}" From 24f3493caf3350f93b2efc9791195e0461a605f4 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 19 Jan 2025 16:01:38 +0200 Subject: [PATCH 07/10] Add various polish to Conduwuit https://github.com/Virkkunen and I have been working on the same feature simultaneously. This patch adds my additional independent work on top of his changes. Notable changes here compared to Virkkunen's original work: - renaming config-related variables (`matrix_conduwuit_*` -> `matrix_conduwuit_config_*`). This is consistent with other roles (and better), but deviates from how the Conduit role was implemented. - using a full configuration sample from https://conduwuit.puppyirl.gay/configuration.html instead of using the old Conduit config file template - introducing configurability for more Conduwuit config settings, to support easy registration, etc. - removing configuration settings that Conduwuit does not support anymore (e.g. `max_concurrent_requests`) - cross-linking docs pages for Conduit and Conduwuit - a Conduwuit docs page which is much improved compared to the old Conduit one - REAMDE updates --- README.md | 1 + docs/configuring-playbook-conduit.md | 6 +- docs/configuring-playbook-conduwuit.md | 95 + group_vars/matrix_servers | 16 +- .../custom/matrix-conduwuit/defaults/main.yml | 83 +- .../custom/matrix-conduwuit/tasks/install.yml | 60 + roles/custom/matrix-conduwuit/tasks/main.yml | 13 +- .../tasks/self_check_client_api.yml | 23 + .../tasks/self_check_federation_api.yml | 28 + .../matrix-conduwuit/tasks/uninstall.yml | 19 + .../templates/conduwuit.toml.j2 | 1555 ++++++++++++++++- .../custom/matrix-conduwuit/templates/env.j2 | 1 + .../matrix-conduwuit/templates/labels.j2 | 33 +- .../systemd/matrix-conduwuit.service.j2 | 8 +- roles/custom/matrix-conduwuit/vars/main.yml | 1 + .../tasks/validate_config.yml | 8 - 16 files changed, 1869 insertions(+), 81 deletions(-) create mode 100644 docs/configuring-playbook-conduwuit.md create mode 100644 roles/custom/matrix-conduwuit/tasks/install.yml create mode 100644 roles/custom/matrix-conduwuit/tasks/self_check_client_api.yml create mode 100644 roles/custom/matrix-conduwuit/tasks/self_check_federation_api.yml create mode 100644 roles/custom/matrix-conduwuit/tasks/uninstall.yml create mode 100644 roles/custom/matrix-conduwuit/templates/env.j2 diff --git a/README.md b/README.md index 488aab37e..ee1c5a144 100644 --- a/README.md +++ b/README.md @@ -52,6 +52,7 @@ The homeserver is the backbone of your Matrix system. Choose one from the follow | ---- | -------- | ----------- | ------------- | | [Synapse](https://github.com/element-hq/synapse) | ✅ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network | [Link](docs/configuring-playbook-synapse.md) | | [Conduit](https://conduit.rs) | ❌ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Conduit is a lightweight open-source server implementation of the Matrix Specification with a focus on easy setup and low system requirements | [Link](docs/configuring-playbook-conduit.md) | +| [Conduwuit](https://conduwuit.puppyirl.gay/) | ❌ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Conduwuit is a fork of Conduit. | [Link](docs/configuring-playbook-conduwuit.md) | | [Dendrite](https://github.com/element-hq/dendrite) | ❌ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Dendrite is a second-generation Matrix homeserver written in Go, an alternative to Synapse. | [Link](docs/configuring-playbook-dendrite.md) | ### Clients diff --git a/docs/configuring-playbook-conduit.md b/docs/configuring-playbook-conduit.md index 2eb571003..81ac48ee5 100644 --- a/docs/configuring-playbook-conduit.md +++ b/docs/configuring-playbook-conduit.md @@ -6,6 +6,8 @@ See the project's [documentation](https://docs.conduit.rs/) to learn what it doe By default, the playbook installs [Synapse](https://github.com/element-hq/synapse) as it's the only full-featured Matrix server at the moment. If that's okay, you can skip this document. +💡 **Note**: The playbook also supports installing a (currently) faster-moving Conduit fork called [Conduwuit](./configuring-playbook-conduwuit.md). + ⚠️ **Warnings**: - **You can't switch an existing Matrix server's implementation** (e.g. Synapse -> Conduit). Proceed below only if you're OK with losing data or you're dealing with a server on a new domain name, which hasn't participated in the Matrix federation yet. @@ -48,9 +50,9 @@ Since it is difficult to create the first user account on Conduit (see [famedly/ ## Configuring bridges / appservices -Automatic appservice setup is currently unsupported when using Conduit. After setting up the service as usual you may notice that it is unable to start. +For other homeserver implementations (like Synapse and Dendrite), the playbook automatically registers appservices (for bridges, bots, etc.) with the homeserver. -You will have to manually register appservices using the the [register-appservice](https://gitlab.com/famedly/conduit/-/blob/next/APPSERVICES.md) command. +For Conduit, you will have to manually register appservices using the the [register-appservice](https://gitlab.com/famedly/conduit/-/blob/next/APPSERVICES.md) command. Find the `registration.yaml` in the `/matrix` directory, for example `/matrix/mautrix-signal/bridge/registration.yaml`, then pass the content to Conduit: diff --git a/docs/configuring-playbook-conduwuit.md b/docs/configuring-playbook-conduwuit.md new file mode 100644 index 000000000..512f4530b --- /dev/null +++ b/docs/configuring-playbook-conduwuit.md @@ -0,0 +1,95 @@ +# Configuring Conduwuit (optional) + +The playbook can install and configure the [Conduwuit](https://conduwuit.puppyirl.gay/) Matrix server for you. + +See the project's [documentation](https://conduwuit.puppyirl.gay/) to learn what it does and why it might be useful to you. + +By default, the playbook installs [Synapse](https://github.com/element-hq/synapse) as it's the only full-featured Matrix server at the moment. If that's okay, you can skip this document. + +💡 **Note**: Conduwuit is a fork of [Conduit](./configuring-playbook-conduit.md), which the playbook also supports. See [Differences from upstream Conduit](https://conduwuit.puppyirl.gay/differences.html). + +⚠️ **Warnings**: + +- **You can't switch an existing Matrix server's implementation** (e.g. Synapse -> Conduwuit). Proceed below only if you're OK with losing data or you're dealing with a server on a new domain name, which hasn't participated in the Matrix federation yet. + +- **Homeserver implementations other than Synapse may not be fully functional**. The playbook may also not assist you in an optimal way (like it does with Synapse). Make yourself familiar with the downsides before proceeding + +## Adjusting the playbook configuration + +To use Conduwuit, you **generally** need to adjust the `matrix_homeserver_implementation: synapse` configuration on your `inventory/host_vars/matrix.example.com/vars.yml` file as below: + +```yaml +matrix_homeserver_implementation: conduwuit + +# Registering users can only happen via the API, +# so it makes sense to enable it, at least initially. +matrix_conduwuit_config_allow_registration: true + +# Generate a strong registration token to protect the registration endpoint from abuse. +# You can create one with a command like `pwgen -s 64 1`. +matrix_conduwuit_config_registration_token: '' +``` + +### Extending the configuration + +There are some additional things you may wish to configure about the server. + +Take a look at: + +- `roles/custom/matrix-conduwuit/defaults/main.yml` for some variables that you can customize via your `vars.yml` file +- `roles/custom/matrix-conduwuit/templates/conduwuit.toml.j2` for the server's default configuration + +There are various Ansible variables that control settings in the `conduwuit.toml` file. + +If a specific setting you'd like to change does not have a dedicated Ansible variable, you can either submit a PR to us to add it, or you can [override the setting using an environment variable](https://conduwuit.puppyirl.gay/configuration.html#environment-variables) using `matrix_conduwuit_environment_variables_extension`. For example: + +```yaml +matrix_conduwuit_environment_variables_extension: | + CONDUWUIT_MAX_REQUEST_SIZE=50000000 + CONDUWUIT_REQUEST_TIMEOUT=60 +``` + +## Creating the first user account + +Unlike other homeserver implementations (like Synapse and Dendrite), Conduwuit does not support creating users via the command line or via the playbook. + +If you followed the instructions above (see [Adjusting the playbook configuration](#adjusting-the-playbook-configuration)), you should have registration enabled and protected by a registration token. + +This should allow you to create the first user account via any client (like [Element Web](./configuring-playbook-client-element-web.md)) which supports creating users. + +The **first user account that you create will be marked as an admin** and **will be automatically invited to an admin room**. + + +## Configuring bridges / appservices + +For other homeserver implementations (like Synapse and Dendrite), the playbook automatically registers appservices (for bridges, bots, etc.) with the homeserver. + +For Conduwuit, you will have to manually register appservices using the [`!admin appservices register` command](https://conduwuit.puppyirl.gay/appservices.html#set-up-the-appservice---general-instructions) sent to the server bot account. + +The server's bot account has a Matrix ID of `@conduit:example.com` (not `@conduwuit:example.com`!) due to Conduwuit's historical legacy. +Your first user account would already have been invited to an admin room with this bot. + +Find the appservice file you'd like to register. This can be any `registration.yaml` file found in the `/matrix` directory, for example `/matrix/mautrix-signal/bridge/registration.yaml`. + +Then, send its content to the existing admin room: + + !admin appservices register + + ``` + as_token: + de.sorunome.msc2409.push_ephemeral: true + hs_token: + id: signal + namespaces: + aliases: + - exclusive: true + regex: ^#signal_.+:example\.org$ + users: + - exclusive: true + regex: ^@signal_.+:example\.org$ + - exclusive: true + regex: ^@signalbot:example\.org$ + rate_limited: false + sender_localpart: _bot_signalbot + url: http://matrix-mautrix-signal:29328 + ``` diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 3a0c9b963..4e5f0c9b2 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -553,7 +553,7 @@ matrix_homeserver_container_client_api_endpoint: |- 'synapse': ('matrix-synapse-reverse-proxy-companion:8008' if matrix_synapse_reverse_proxy_companion_enabled | default(false) else ('matrix-synapse:'+ matrix_synapse_container_client_api_port | default('8008') | string)), 'dendrite': ('matrix-dendrite:' + matrix_dendrite_http_bind_port | default('8008') | string), 'conduit': ('matrix-conduit:' + matrix_conduit_port_number | default('8008') | string), - 'conduwuit': ('matrix-conduwuit:' + matrix_conduwuit_port_number | default('8008') | string), + 'conduwuit': ('matrix-conduwuit:' + matrix_conduwuit_config_port_number | default('8008') | string), }[matrix_homeserver_implementation] }} @@ -563,7 +563,7 @@ matrix_homeserver_container_federation_api_endpoint: |- 'synapse': ('matrix-synapse-reverse-proxy-companion:8048' if matrix_synapse_reverse_proxy_companion_enabled else ('matrix-synapse:'+ matrix_synapse_container_federation_api_plain_port | default('8008') | string)), 'dendrite': ('matrix-dendrite:' + matrix_dendrite_http_bind_port | default('8008') | string), 'conduit': ('matrix-conduit:' + matrix_conduit_port_number | default('8008') | string), - 'conduwuit': ('matrix-conduwuit:' + matrix_conduwuit_port_number | default('8008') | string), + 'conduwuit': ('matrix-conduwuit:' + matrix_conduwuit_config_port_number | default('8008') | string), }[matrix_homeserver_implementation] }} @@ -5818,7 +5818,7 @@ matrix_conduwuit_enabled: "{{ matrix_homeserver_implementation == 'conduwuit' }} matrix_conduwuit_hostname: "{{ matrix_server_fqn_matrix }}" -matrix_conduwuit_allow_federation: "{{ matrix_homeserver_federation_enabled }}" +matrix_conduwuit_config_allow_federation: "{{ matrix_homeserver_federation_enabled }}" matrix_conduwuit_container_network: "{{ matrix_homeserver_container_network }}" @@ -5844,7 +5844,7 @@ matrix_conduwuit_container_labels_public_federation_api_traefik_tls: "{{ matrix_ matrix_conduwuit_container_labels_internal_client_api_enabled: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled }}" matrix_conduwuit_container_labels_internal_client_api_traefik_entrypoints: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_name }}" -matrix_conduwuit_turn_uris: | +matrix_conduwuit_config_turn_uris: | {{ ([ 'turns:' + matrix_server_fqn_matrix + '?transport=udp', @@ -5857,9 +5857,11 @@ matrix_conduwuit_turn_uris: | ] if matrix_coturn_enabled else []) }} -matrix_conduwuit_turn_secret: "{{ matrix_coturn_turn_static_auth_secret if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'auth-secret') else '' }}" -matrix_conduwuit_turn_username: "{{ matrix_coturn_lt_cred_mech_username if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'lt-cred-mech') else '' }}" -matrix_conduwuit_turn_password: "{{ matrix_coturn_lt_cred_mech_password if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'lt-cred-mech') else '' }}" +matrix_conduwuit_config_turn_secret: "{{ matrix_coturn_turn_static_auth_secret if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'auth-secret') else '' }}" +matrix_conduwuit_config_turn_username: "{{ matrix_coturn_lt_cred_mech_username if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'lt-cred-mech') else '' }}" +matrix_conduwuit_config_turn_password: "{{ matrix_coturn_lt_cred_mech_password if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'lt-cred-mech') else '' }}" + +matrix_conduwuit_self_check_validate_certificates: "{{ matrix_playbook_ssl_enabled }}" ###################################################################### # diff --git a/roles/custom/matrix-conduwuit/defaults/main.yml b/roles/custom/matrix-conduwuit/defaults/main.yml index 3f71c515e..f302ed664 100644 --- a/roles/custom/matrix-conduwuit/defaults/main.yml +++ b/roles/custom/matrix-conduwuit/defaults/main.yml @@ -1,5 +1,5 @@ --- -# Conduwuit is a fork of Conduit, powered by Matrix +# conduwuit is a very cool, featureful fork of conduit (https://gitlab.com/famedly/conduit). # Project source code URL: https://github.com/girlbossceo/conduwuit # See: https://conduwuit.puppyirl.gay/ @@ -7,17 +7,18 @@ matrix_conduwuit_enabled: true matrix_conduwuit_hostname: '' -matrix_conduwuit_docker_image: "{{ matrix_conduwuit_docker_image_name_prefix }}girlbossceo/conduwuit:{{ matrix_conduwuit_docker_image_tag }}" +matrix_conduwuit_docker_image: "{{ matrix_conduwuit_docker_image_registry_prefix }}girlbossceo/conduwuit:{{ matrix_conduwuit_docker_image_tag }}" matrix_conduwuit_docker_image_name_prefix: "docker.io/" -# renovate: datasource=docker depName=girlbossceo/conduwuit -matrix_conduwuit_docker_image_tag: "main" +# renovate: datasource=docker depName=ghcr.io/girlbossceo/conduwuit +matrix_conduwuit_docker_image_tag: v0.4.6-8f7ade4c22533a3177bfd8f175e178573ba6c1d4 matrix_conduwuit_docker_image_force_pull: "{{ matrix_conduwuit_docker_image.endswith(':latest') }}" +matrix_conduwuit_docker_image_registry_prefix: ghcr.io/ matrix_conduwuit_base_path: "{{ matrix_base_data_path }}/conduwuit" matrix_conduwuit_config_path: "{{ matrix_conduwuit_base_path }}/config" matrix_conduwuit_data_path: "{{ matrix_conduwuit_base_path }}/data" -matrix_conduwuit_port_number: 6167 +matrix_conduwuit_config_port_number: 6167 matrix_conduwuit_tmp_directory_size_mb: 500 @@ -88,7 +89,7 @@ matrix_conduwuit_container_labels_internal_client_api_traefik_priority: "{{ matr matrix_conduwuit_container_labels_internal_client_api_traefik_entrypoints: "" # Controls whether labels will be added that expose the Server-Server API (Federation API) on a public Traefik entrypoint. -matrix_conduwuit_container_labels_public_federation_api_enabled: "{{ matrix_conduwuit_allow_federation }}" +matrix_conduwuit_container_labels_public_federation_api_enabled: "{{ matrix_conduwuit_config_allow_federation }}" matrix_conduwuit_container_labels_public_federation_api_traefik_hostname: "{{ matrix_conduwuit_hostname }}" matrix_conduwuit_container_labels_public_federation_api_traefik_path_prefix: /_matrix matrix_conduwuit_container_labels_public_federation_api_traefik_rule: "Host(`{{ matrix_conduwuit_container_labels_public_federation_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_conduwuit_container_labels_public_federation_api_traefik_path_prefix }}`)" @@ -98,6 +99,16 @@ matrix_conduwuit_container_labels_public_federation_api_traefik_entrypoints: '' matrix_conduwuit_container_labels_public_federation_api_traefik_tls: true matrix_conduwuit_container_labels_public_federation_api_traefik_tls_certResolver: "{{ matrix_conduwuit_container_labels_traefik_tls_certResolver }}" # noqa var-naming +# Controls whether labels will be added that expose the `/_conduwuit` path prefix on a public Traefik entrypoint. +matrix_conduwuit_container_labels_public_conduwuit_api_enabled: true +matrix_conduwuit_container_labels_public_conduwuit_api_traefik_hostname: "{{ matrix_conduwuit_hostname }}" +matrix_conduwuit_container_labels_public_conduwuit_api_traefik_path_prefix: /_conduwuit +matrix_conduwuit_container_labels_public_conduwuit_api_traefik_rule: "Host(`{{ matrix_conduwuit_container_labels_public_conduwuit_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_conduwuit_container_labels_public_conduwuit_api_traefik_path_prefix }}`)" +matrix_conduwuit_container_labels_public_conduwuit_api_traefik_priority: 0 +matrix_conduwuit_container_labels_public_conduwuit_api_traefik_entrypoints: "{{ matrix_conduwuit_container_labels_traefik_entrypoints }}" +matrix_conduwuit_container_labels_public_conduwuit_api_traefik_tls: "{{ matrix_conduwuit_container_labels_public_conduwuit_api_traefik_entrypoints != 'web' }}" +matrix_conduwuit_container_labels_public_conduwuit_api_traefik_tls_certResolver: "{{ matrix_conduwuit_container_labels_traefik_tls_certResolver }}" # noqa var-naming + # matrix_conduwuit_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. # See `../templates/labels.j2` for details. # @@ -118,25 +129,61 @@ matrix_conduwuit_container_extra_arguments: [] matrix_conduwuit_template_conduwuit_config: "{{ role_path }}/templates/conduwuit.toml.j2" # Max size for uploads, in bytes -matrix_conduwuit_max_request_size: 20_000_000 +matrix_conduwuit_config_server_name: "{{ matrix_domain }}" + +# Max size for uploads, in bytes +matrix_conduwuit_config_max_request_size: 20_000_000 # Enables registration. If set to false, no users can register on this server. -matrix_conduwuit_allow_registration: false +matrix_conduwuit_config_allow_registration: false + +# Controls the `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse` setting. +# This is only used when `matrix_conduwuit_config_allow_registration` is set to true and no registration token is configured. +matrix_conduwuit_config_yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse: false + +# Controls the `registration_token` setting. +# When registration is enabled (`matrix_conduwuit_config_allow_registration`) you: +# - either need to set a token to protect registration from abuse +# - or you need to enable the `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse` setting +# (see `matrix_conduwuit_config_yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse`), +# to allow registration without any form of 2nd-step. +matrix_conduwuit_config_registration_token: '' + +# Controls the `new_user_displayname_suffix` setting. +# This is the suffix that will be added to the displayname of new users. +# Upstream defaults this to "🏳️‍⚧️", but we keep this consistent across all homeserver implementations and do not enable a suffix. +matrix_conduwuit_config_new_user_displayname_suffix: "" -matrix_conduwuit_allow_federation: true +# Controls the `allow_check_for_updates` setting. +matrix_conduwuit_config_allow_check_for_updates: false -# The display name suffix on registration. Change to '' to disable. -matrix_conduwuit_new_user_displayname_suffix: '' +# Controls the `emergency_password` setting. +matrix_conduwuit_config_emergency_password: '' + +# Controls the `allow_federation` setting. +matrix_conduwuit_config_allow_federation: true matrix_conduwuit_trusted_servers: - "matrix.org" -# How many requests conduwuit sends to other servers at the same time -matrix_conduwuit_max_concurrent_requests: 100 +matrix_conduwuit_config_log: "info,state_res=warn,rocket=off,_=off,sled=off" # TURN integration. -# See: https://gitlab.com/famedly/conduwuit/-/blob/next/TURN.md -matrix_conduwuit_turn_uris: [] -matrix_conduwuit_turn_secret: '' -matrix_conduwuit_turn_username: '' -matrix_conduwuit_turn_password: '' +# See: https://conduwuit.puppyirl.gay/turn.html +matrix_conduwuit_config_turn_uris: [] +matrix_conduwuit_config_turn_secret: '' +matrix_conduwuit_config_turn_username: '' +matrix_conduwuit_config_turn_password: '' + +# Controls whether the self-check feature should validate SSL certificates. +matrix_conduwuit_self_check_validate_certificates: true + +# Additional environment variables to pass to the container. +# +# Environment variables take priority over settings in the configuration file. +# +# Example: +# matrix_conduwuit_environment_variables_extension: | +# CONDUWUIT_MAX_REQUEST_SIZE=50000000 +# CONDUWUIT_REQUEST_TIMEOUT=60 +matrix_conduwuit_environment_variables_extension: '' diff --git a/roles/custom/matrix-conduwuit/tasks/install.yml b/roles/custom/matrix-conduwuit/tasks/install.yml new file mode 100644 index 000000000..91d244c25 --- /dev/null +++ b/roles/custom/matrix-conduwuit/tasks/install.yml @@ -0,0 +1,60 @@ +--- + +- name: Ensure conduwuit config path exists + ansible.builtin.file: + path: "{{ matrix_conduwuit_config_path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure conduwuit data path exists + ansible.builtin.file: + path: "{{ matrix_conduwuit_data_path }}" + state: directory + mode: 0770 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure conduwuit configuration installed + ansible.builtin.template: + src: "{{ matrix_conduwuit_template_conduwuit_config }}" + dest: "{{ matrix_conduwuit_config_path }}/conduwuit.toml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure conduwuit support files installed + ansible.builtin.template: + src: "{{ role_path }}/templates/{{ item }}.j2" + dest: "{{ matrix_conduwuit_base_path }}/{{ item }}" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - labels + - env + +- name: Ensure conduwuit container network is created + community.general.docker_network: + enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}" + name: "{{ matrix_conduwuit_container_network }}" + driver: bridge + driver_options: "{{ devture_systemd_docker_base_container_networks_driver_options }}" + +- name: Ensure conduwuit container image is pulled + community.docker.docker_image: + name: "{{ matrix_conduwuit_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_conduwuit_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_conduwuit_docker_image_force_pull }}" + register: result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: result is not failed + +- name: Ensure matrix-conduwuit.service installed + ansible.builtin.template: + src: "{{ role_path }}/templates/systemd/matrix-conduwuit.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-conduwuit.service" + mode: 0644 diff --git a/roles/custom/matrix-conduwuit/tasks/main.yml b/roles/custom/matrix-conduwuit/tasks/main.yml index e6f16d120..68d5daad1 100644 --- a/roles/custom/matrix-conduwuit/tasks/main.yml +++ b/roles/custom/matrix-conduwuit/tasks/main.yml @@ -10,11 +10,20 @@ ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_conduwuit_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml" - tags: - setup-all - setup-conduwuit block: - when: not matrix_conduwuit_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" + +- tags: + - self-check + block: + - when: matrix_conduwuit_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check_client_api.yml" + + - when: matrix_conduwuit_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check_federation_api.yml" diff --git a/roles/custom/matrix-conduwuit/tasks/self_check_client_api.yml b/roles/custom/matrix-conduwuit/tasks/self_check_client_api.yml new file mode 100644 index 000000000..a34c14fb4 --- /dev/null +++ b/roles/custom/matrix-conduwuit/tasks/self_check_client_api.yml @@ -0,0 +1,23 @@ +--- + +- name: Check Matrix Client API + ansible.builtin.uri: + url: "{{ matrix_conduwuit_client_api_url_endpoint_public }}" + follow_redirects: none + validate_certs: "{{ matrix_conduwuit_self_check_validate_certificates }}" + register: result_matrix_conduwuit_client_api + ignore_errors: true + check_mode: false + when: matrix_conduwuit_enabled | bool + delegate_to: 127.0.0.1 + become: false + +- name: Fail if Matrix Client API not working + ansible.builtin.fail: + msg: "Failed checking Matrix Client API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_conduwuit_client_api_url_endpoint_public }}`). Is Conduwuit running? Is port 443 open in your firewall? Full error: {{ result_matrix_conduwuit_client_api }}" + when: "matrix_conduwuit_enabled | bool and (result_matrix_conduwuit_client_api.failed or 'json' not in result_matrix_conduwuit_client_api)" + +- name: Report working Matrix Client API + ansible.builtin.debug: + msg: "The Matrix Client API at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_conduwuit_client_api_url_endpoint_public }}`) is working" + when: matrix_conduwuit_enabled | bool diff --git a/roles/custom/matrix-conduwuit/tasks/self_check_federation_api.yml b/roles/custom/matrix-conduwuit/tasks/self_check_federation_api.yml new file mode 100644 index 000000000..fde73dae0 --- /dev/null +++ b/roles/custom/matrix-conduwuit/tasks/self_check_federation_api.yml @@ -0,0 +1,28 @@ +--- + +- name: Check Matrix Federation API + ansible.builtin.uri: + url: "{{ matrix_synapse_federation_api_url_endpoint_public }}" + follow_redirects: none + validate_certs: "{{ matrix_synapse_self_check_validate_certificates }}" + register: result_matrix_synapse_federation_api + ignore_errors: true + check_mode: false + when: matrix_synapse_enabled | bool + delegate_to: 127.0.0.1 + become: false + +- name: Fail if Matrix Federation API not working + ansible.builtin.fail: + msg: "Failed checking Matrix Federation API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_synapse_federation_api_url_endpoint_public }}`). Is Synapse running? Is port {{ matrix_federation_public_port }} open in your firewall? Full error: {{ result_matrix_synapse_federation_api }}" + when: "matrix_synapse_enabled | bool and matrix_synapse_federation_enabled | bool and (result_matrix_synapse_federation_api.failed or 'json' not in result_matrix_synapse_federation_api)" + +- name: Fail if Matrix Federation API unexpectedly enabled + ansible.builtin.fail: + msg: "Matrix Federation API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_synapse_federation_api_url_endpoint_public }}`) despite being disabled." + when: "matrix_synapse_enabled | bool and not matrix_synapse_federation_enabled | bool and not result_matrix_synapse_federation_api.failed" + +- name: Report working Matrix Federation API + ansible.builtin.debug: + msg: "The Matrix Federation API at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_synapse_federation_api_url_endpoint_public }}`) is working" + when: "matrix_synapse_enabled | bool and matrix_synapse_federation_enabled | bool" diff --git a/roles/custom/matrix-conduwuit/tasks/uninstall.yml b/roles/custom/matrix-conduwuit/tasks/uninstall.yml new file mode 100644 index 000000000..dcf802b0a --- /dev/null +++ b/roles/custom/matrix-conduwuit/tasks/uninstall.yml @@ -0,0 +1,19 @@ +--- + +- name: Check existence of matrix-conduwuit service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-conduwuit.service" + register: matrix_conduwuit_service_stat + +- when: matrix_conduwuit_service_stat.stat.exists | bool + block: + - name: Ensure matrix-conduwuit is stopped + ansible.builtin.systemd: + name: matrix-conduwuit + state: stopped + daemon_reload: true + + - name: Ensure matrix-conduwuit.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-conduwuit.service" + state: absent diff --git a/roles/custom/matrix-conduwuit/templates/conduwuit.toml.j2 b/roles/custom/matrix-conduwuit/templates/conduwuit.toml.j2 index 849010b3f..4b011448c 100644 --- a/roles/custom/matrix-conduwuit/templates/conduwuit.toml.j2 +++ b/roles/custom/matrix-conduwuit/templates/conduwuit.toml.j2 @@ -1,61 +1,1538 @@ -# ============================================================================= -# This is the official example config for Conduwuit. -# If you use it for your server, you will need to adjust it to your own needs. -# At the very least, change the server_name field! -# ============================================================================= - +### conduwuit Configuration +### See: +### https://conduwuit.puppyirl.gay/configuration.html [global] -# The server_name is the pretty name of this server. It is used as a suffix for user -# and room IDs. Examples: matrix.org, puppyirl.gay -# The Conduwuit server needs all /_matrix/ requests to be reachable at -# https://example.com/ on port 443 (client-server) and 8448 (federation). +# The server_name is the pretty name of this server. It is used as a +# suffix for user and room IDs/aliases. +# +# See the docs for reverse proxying and delegation: +# https://conduwuit.puppyirl.gay/deploying/generic.html#setting-up-the-reverse-proxy +# +# Also see the `[global.well_known]` config section at the very bottom. +# +# Examples of delegation: +# - https://puppygock.gay/.well-known/matrix/server +# - https://puppygock.gay/.well-known/matrix/client +# +# YOU NEED TO EDIT THIS. THIS CANNOT BE CHANGED AFTER WITHOUT A DATABASE +# WIPE. +# +# example: "conduwuit.woof" +# +server_name = {{ matrix_conduwuit_config_server_name | to_json }} + +# The default address (IPv4 or IPv6) conduwuit will listen on. +# +# If you are using Docker or a container NAT networking setup, this must +# be "0.0.0.0". +# +# To listen on multiple addresses, specify a vector e.g. ["127.0.0.1", +# "::1"] +# +address = "0.0.0.0" + +# The port(s) conduwuit will listen on. +# +# For reverse proxying, see: +# https://conduwuit.puppyirl.gay/deploying/generic.html#setting-up-the-reverse-proxy +# +# If you are using Docker, don't change this, you'll need to map an +# external port to this. +# +# To listen on multiple ports, specify a vector e.g. [8080, 8448] +# +port = {{ matrix_conduwuit_config_port_number }} + +# The UNIX socket conduwuit will listen on. +# +# conduwuit cannot listen on both an IP address and a UNIX socket. If +# listening on a UNIX socket, you MUST remove/comment the `address` key. +# +# Remember to make sure that your reverse proxy has access to this socket +# file, either by adding your reverse proxy to the 'conduwuit' group or +# granting world R/W permissions with `unix_socket_perms` (666 minimum). +# +# example: "/run/conduwuit/conduwuit.sock" +# +#unix_socket_path = + +# The default permissions (in octal) to create the UNIX socket with. +# +#unix_socket_perms = 660 + +# This is the only directory where conduwuit will save its data, including +# media. Note: this was previously "/var/lib/matrix-conduit". +# +# YOU NEED TO EDIT THIS. +# +# example: "/var/lib/conduwuit" +# +database_path = "/var/lib/conduwuit" + +# conduwuit supports online database backups using RocksDB's Backup engine +# API. To use this, set a database backup path that conduwuit can write +# to. +# +# For more information, see: +# https://conduwuit.puppyirl.gay/maintenance.html#backups +# +# example: "/opt/conduwuit-db-backups" +# +#database_backup_path = + +# The amount of online RocksDB database backups to keep/retain, if using +# "database_backup_path", before deleting the oldest one. +# +#database_backups_to_keep = 1 + +# Text which will be added to the end of the user's displayname upon +# registration with a space before the text. In Conduit, this was the +# lightning bolt emoji. +# +# To disable, set this to "" (an empty string). +# +# The default is the trans pride flag. +# +# example: "🏳️‍⚧️" +# +new_user_displayname_suffix = {{ matrix_conduwuit_config_new_user_displayname_suffix | to_json }} + +# If enabled, conduwuit will send a simple GET request periodically to +# `https://pupbrain.dev/check-for-updates/stable` for any new +# announcements made. Despite the name, this is not an update check +# endpoint, it is simply an announcement check endpoint. +# +# This is disabled by default as this is rarely used except for security +# updates or major updates. +# +allow_check_for_updates = {{ matrix_conduwuit_config_allow_check_for_updates | to_json }} + +# Set this to any float value to multiply conduwuit's in-memory LRU caches +# with such as "auth_chain_cache_capacity". +# +# May be useful if you have significant memory to spare to increase +# performance. +# +# If you have low memory, reducing this may be viable. +# +# By default, the individual caches such as "auth_chain_cache_capacity" +# are scaled by your CPU core count. +# +#cache_capacity_modifier = 1.0 + +# Set this to any float value in megabytes for conduwuit to tell the +# database engine that this much memory is available for database read +# caches. +# +# May be useful if you have significant memory to spare to increase +# performance. +# +# Similar to the individual LRU caches, this is scaled up with your CPU +# core count. +# +# This defaults to 128.0 + (64.0 * CPU core count). +# +#db_cache_capacity_mb = varies by system + +# Set this to any float value in megabytes for conduwuit to tell the +# database engine that this much memory is available for database write +# caches. +# +# May be useful if you have significant memory to spare to increase +# performance. +# +# Similar to the individual LRU caches, this is scaled up with your CPU +# core count. +# +# This defaults to 48.0 + (4.0 * CPU core count). +# +#db_write_buffer_capacity_mb = varies by system + +# This item is undocumented. Please contribute documentation for it. +# +#pdu_cache_capacity = varies by system + +# This item is undocumented. Please contribute documentation for it. +# +#auth_chain_cache_capacity = varies by system + +# This item is undocumented. Please contribute documentation for it. +# +#shorteventid_cache_capacity = varies by system + +# This item is undocumented. Please contribute documentation for it. +# +#eventidshort_cache_capacity = varies by system + +# This item is undocumented. Please contribute documentation for it. +# +#eventid_pdu_cache_capacity = varies by system + +# This item is undocumented. Please contribute documentation for it. +# +#shortstatekey_cache_capacity = varies by system + +# This item is undocumented. Please contribute documentation for it. +# +#statekeyshort_cache_capacity = varies by system + +# This item is undocumented. Please contribute documentation for it. +# +#servernameevent_data_cache_capacity = varies by system + +# This item is undocumented. Please contribute documentation for it. +# +#server_visibility_cache_capacity = varies by system + +# This item is undocumented. Please contribute documentation for it. +# +#user_visibility_cache_capacity = varies by system + +# This item is undocumented. Please contribute documentation for it. +# +#stateinfo_cache_capacity = varies by system + +# This item is undocumented. Please contribute documentation for it. +# +#roomid_spacehierarchy_cache_capacity = varies by system + +# Maximum entries stored in DNS memory-cache. The size of an entry may +# vary so please take care if raising this value excessively. Only +# decrease this when using an external DNS cache. Please note that +# systemd-resolved does *not* count as an external cache, even when +# configured to do so. +# +#dns_cache_entries = 32768 + +# Minimum time-to-live in seconds for entries in the DNS cache. The +# default may appear high to most administrators; this is by design as the +# majority of NXDOMAINs are correct for a long time (e.g. the server is no +# longer running Matrix). Only decrease this if you are using an external +# DNS cache. +# +#dns_min_ttl = 10800 + +# Minimum time-to-live in seconds for NXDOMAIN entries in the DNS cache. +# This value is critical for the server to federate efficiently. +# NXDOMAIN's are assumed to not be returning to the federation and +# aggressively cached rather than constantly rechecked. +# +# Defaults to 3 days as these are *very rarely* false negatives. +# +#dns_min_ttl_nxdomain = 259200 + +# Number of DNS nameserver retries after a timeout or error. +# +#dns_attempts = 10 + +# The number of seconds to wait for a reply to a DNS query. Please note +# that recursive queries can take up to several seconds for some domains, +# so this value should not be too low, especially on slower hardware or +# resolvers. +# +#dns_timeout = 10 + +# Fallback to TCP on DNS errors. Set this to false if unsupported by +# nameserver. +# +#dns_tcp_fallback = true + +# Enable to query all nameservers until the domain is found. Referred to +# as "trust_negative_responses" in hickory_resolver. This can avoid +# useless DNS queries if the first nameserver responds with NXDOMAIN or +# an empty NOERROR response. +# +#query_all_nameservers = true + +# Enable using *only* TCP for querying your specified nameservers instead +# of UDP. +# +# If you are running conduwuit in a container environment, this config +# option may need to be enabled. For more details, see: +# https://conduwuit.puppyirl.gay/troubleshooting.html#potential-dns-issues-when-using-docker +# +#query_over_tcp_only = false + +# DNS A/AAAA record lookup strategy +# +# Takes a number of one of the following options: +# 1 - Ipv4Only (Only query for A records, no AAAA/IPv6) +# +# 2 - Ipv6Only (Only query for AAAA records, no A/IPv4) +# +# 3 - Ipv4AndIpv6 (Query for A and AAAA records in parallel, uses whatever +# returns a successful response first) +# +# 4 - Ipv6thenIpv4 (Query for AAAA record, if that fails then query the A +# record) +# +# 5 - Ipv4thenIpv6 (Query for A record, if that fails then query the AAAA +# record) +# +# If you don't have IPv6 networking, then for better DNS performance it +# may be suitable to set this to Ipv4Only (1) as you will never ever use +# the AAAA record contents even if the AAAA record is successful instead +# of the A record. +# +#ip_lookup_strategy = 5 + +# Max request size for file uploads in bytes. Defaults to 20MB. +# +max_request_size = {{ matrix_conduwuit_config_max_request_size }} + +# This item is undocumented. Please contribute documentation for it. +# +#max_fetch_prev_events = 192 + +# Default/base connection timeout (seconds). This is used only by URL +# previews and update/news endpoint checks. +# +#request_conn_timeout = 10 + +# Default/base request timeout (seconds). The time waiting to receive more +# data from another server. This is used only by URL previews, +# update/news, and misc endpoint checks. +# +#request_timeout = 35 + +# Default/base request total timeout (seconds). The time limit for a whole +# request. This is set very high to not cancel healthy requests while +# serving as a backstop. This is used only by URL previews and update/news +# endpoint checks. +# +#request_total_timeout = 320 + +# Default/base idle connection pool timeout (seconds). This is used only +# by URL previews and update/news endpoint checks. +# +#request_idle_timeout = 5 + +# Default/base max idle connections per host. This is used only by URL +# previews and update/news endpoint checks. Defaults to 1 as generally the +# same open connection can be re-used. +# +#request_idle_per_host = 1 + +# Federation well-known resolution connection timeout (seconds). +# +#well_known_conn_timeout = 6 + +# Federation HTTP well-known resolution request timeout (seconds). +# +#well_known_timeout = 10 + +# Federation client request timeout (seconds). You most definitely want +# this to be high to account for extremely large room joins, slow +# homeservers, your own resources etc. +# +#federation_timeout = 300 + +# Federation client idle connection pool timeout (seconds). +# +#federation_idle_timeout = 25 -# If that's not possible for you, you can create /.well-known files to redirect -# requests. See -# https://matrix.org/docs/spec/client_server/latest#get-well-known-matrix-client -# and -# https://matrix.org/docs/spec/server_server/r0.1.4#get-well-known-matrix-server -# for more information +# Federation client max idle connections per host. Defaults to 1 as +# generally the same open connection can be re-used. +# +#federation_idle_per_host = 1 -server_name = "{{ matrix_domain }}" +# Federation sender request timeout (seconds). The time it takes for the +# remote server to process sent transactions can take a while. +# +#sender_timeout = 180 -# This is the only directory where Conduwuit will save its data -database_path = "/var/lib/matrix-conduwuit/" +# Federation sender idle connection pool timeout (seconds). +# +#sender_idle_timeout = 180 -# The port Conduwuit will be running on. You need to set up a reverse proxy in -# your web server (e.g. apache or nginx), so all requests to /_matrix on port -# 443 and 8448 will be forwarded to the Conduwuit instance running on this port -# Docker users: Don't change this, you'll need to map an external port to this. -port = {{ matrix_conduwuit_port_number }} +# Federation sender transaction retry backoff limit (seconds). +# +#sender_retry_backoff_limit = 86400 -# Max size for uploads -max_request_size = {{ matrix_conduwuit_max_request_size }} +# Appservice URL request connection timeout. Defaults to 35 seconds as +# generally appservices are hosted within the same network. +# +#appservice_timeout = 35 -# Enables registration. If set to false, no users can register on this server. -allow_registration = {{ matrix_conduwuit_allow_registration | to_json }} +# Appservice URL idle connection pool timeout (seconds). +# +#appservice_idle_timeout = 300 -allow_federation = {{ matrix_conduwuit_allow_federation | to_json }} +# Notification gateway pusher idle connection pool timeout. +# +#pusher_idle_timeout = 15 -# Enable the display name suffix on registration. -new_user_displayname_suffix = {{ matrix_conduwuit_new_user_displayname_suffix | to_json }} +# Enables registration. If set to false, no users can register on this +# server. +# +# If set to true without a token configured, users can register with no +# form of 2nd-step only if you set the following option to true: +# `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse` +# +# If you would like registration only via token reg, please configure +# `registration_token` or `registration_token_file`. +# +allow_registration = {{ matrix_conduwuit_config_allow_registration | to_json }} +yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse = {{ matrix_conduwuit_config_yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse | to_json }} + +allow_federation = {{ matrix_conduwuit_config_allow_federation | to_json }} + +# This item is undocumented. Please contribute documentation for it. +# +#yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse = false + +# A static registration token that new users will have to provide when +# creating an account. If unset and `allow_registration` is true, +# registration is open without any condition. +# +# YOU NEED TO EDIT THIS OR USE registration_token_file. +# +# example: "o&^uCtes4HPf0Vu@F20jQeeWE7" +# +registration_token = {{ matrix_conduwuit_config_registration_token | to_json }} + +# Path to a file on the system that gets read for the registration token. +# this config option takes precedence/priority over "registration_token". +# +# conduwuit must be able to access the file, and it must not be empty +# +# example: "/etc/conduwuit/.reg_token" +# +#registration_token_file = + +# Controls whether encrypted rooms and events are allowed. +# +#allow_encryption = true + +# Controls whether federation is allowed or not. It is not recommended to +# disable this after the fact due to potential federation breakage. +# +#allow_federation = true + +# This item is undocumented. Please contribute documentation for it. +# +#federation_loopback = false + +# Set this to true to require authentication on the normally +# unauthenticated profile retrieval endpoints (GET) +# "/_matrix/client/v3/profile/{userId}". +# +# This can prevent profile scraping. +# +#require_auth_for_profile_requests = false + +# Set this to true to allow your server's public room directory to be +# federated. Set this to false to protect against /publicRooms spiders, +# but will forbid external users from viewing your server's public room +# directory. If federation is disabled entirely (`allow_federation`), this +# is inherently false. +# +#allow_public_room_directory_over_federation = false + +# Set this to true to allow your server's public room directory to be +# queried without client authentication (access token) through the Client +# APIs. Set this to false to protect against /publicRooms spiders. +# +#allow_public_room_directory_without_auth = false + +# Allow guests/unauthenticated users to access TURN credentials. +# +# This is the equivalent of Synapse's `turn_allow_guests` config option. +# This allows any unauthenticated user to call the endpoint +# `/_matrix/client/v3/voip/turnServer`. +# +# It is unlikely you need to enable this as all major clients support +# authentication for this endpoint and prevents misuse of your TURN server +# from potential bots. +# +#turn_allow_guests = false + +# Set this to true to lock down your server's public room directory and +# only allow admins to publish rooms to the room directory. Unpublishing +# is still allowed by all users with this enabled. +# +#lockdown_public_room_directory = false + +# Set this to true to allow federating device display names / allow +# external users to see your device display name. If federation is +# disabled entirely (`allow_federation`), this is inherently false. For +# privacy reasons, this is best left disabled. +# +#allow_device_name_federation = false + +# Config option to allow or disallow incoming federation requests that +# obtain the profiles of our local users from +# `/_matrix/federation/v1/query/profile` +# +# Increases privacy of your local user's such as display names, but some +# remote users may get a false "this user does not exist" error when they +# try to invite you to a DM or room. Also can protect against profile +# spiders. +# +# This is inherently false if `allow_federation` is disabled +# +#allow_inbound_profile_lookup_federation_requests = true + +# Allow standard users to create rooms. Appservices and admins are always +# allowed to create rooms +# +#allow_room_creation = true + +# Set to false to disable users from joining or creating room versions +# that aren't officially supported by conduwuit. +# +# conduwuit officially supports room versions 6 - 11. +# +# conduwuit has slightly experimental (though works fine in practice) +# support for versions 3 - 5. +# +#allow_unstable_room_versions = true + +# Default room version conduwuit will create rooms with. +# +# Per spec, room version 10 is the default. +# +#default_room_version = 10 + +# This item is undocumented. Please contribute documentation for it. +# +#allow_jaeger = false + +# This item is undocumented. Please contribute documentation for it. +# +#jaeger_filter = "info" + +# If the 'perf_measurements' compile-time feature is enabled, enables +# collecting folded stack trace profile of tracing spans using +# tracing_flame. The resulting profile can be visualized with inferno[1], +# speedscope[2], or a number of other tools. +# +# [1]: https://github.com/jonhoo/inferno +# [2]: www.speedscope.app +# +#tracing_flame = false + +# This item is undocumented. Please contribute documentation for it. +# +#tracing_flame_filter = "info" + +# This item is undocumented. Please contribute documentation for it. +# +#tracing_flame_output_path = "./tracing.folded" + +# Examples: +# +# - No proxy (default): +# +# proxy = "none" +# +# - For global proxy, create the section at the bottom of this file: +# +# [global.proxy] +# global = { url = "socks5h://localhost:9050" } +# +# - To proxy some domains: +# +# [global.proxy] +# [[global.proxy.by_domain]] +# url = "socks5h://localhost:9050" +# include = ["*.onion", "matrix.myspecial.onion"] +# exclude = ["*.myspecial.onion"] +# +# Include vs. Exclude: +# +# - If include is an empty list, it is assumed to be `["*"]`. +# +# - If a domain matches both the exclude and include list, the proxy will +# only be used if it was included because of a more specific rule than +# it was excluded. In the above example, the proxy would be used for +# `ordinary.onion`, `matrix.myspecial.onion`, but not +# `hello.myspecial.onion`. +# +#proxy = "none" + +# Servers listed here will be used to gather public keys of other servers +# (notary trusted key servers). +# +# Currently, conduwuit doesn't support inbound batched key requests, so +# this list should only contain other Synapse servers. +# +# example: ["matrix.org", "envs.net", "constellatory.net", "tchncs.de"] +# trusted_servers = {{ matrix_conduwuit_trusted_servers | to_json }} -log = "info,state_res=warn,rocket=off,_=off,sled=off" +# Whether to query the servers listed in trusted_servers first or query +# the origin server first. For best security, querying the origin server +# first is advised to minimize the exposure to a compromised trusted +# server. For maximum federation/join performance this can be set to true, +# however other options exist to query trusted servers first under +# specific high-load circumstances and should be evaluated before setting +# this to true. +# +#query_trusted_key_servers_first = false -address = "0.0.0.0" +# Whether to query the servers listed in trusted_servers first +# specifically on room joins. This option limits the exposure to a +# compromised trusted server to room joins only. The join operation +# requires gathering keys from many origin servers which can cause +# significant delays. Therefor this defaults to true to mitigate +# unexpected delays out-of-the-box. The security-paranoid or those willing +# to tolerate delays are advised to set this to false. Note that setting +# query_trusted_key_servers_first to true causes this option to be +# ignored. +# +#query_trusted_key_servers_first_on_join = true + +# Only query trusted servers for keys and never the origin server. This is +# intended for clusters or custom deployments using their trusted_servers +# as forwarding-agents to cache and deduplicate requests. Notary servers +# do not act as forwarding-agents by default, therefor do not enable this +# unless you know exactly what you are doing. +# +#only_query_trusted_key_servers = false + +# Maximum number of keys to request in each trusted server batch query. +# +#trusted_server_batch_size = 1024 + +# Max log level for conduwuit. Allows debug, info, warn, or error. +# +# See also: +# https://docs.rs/tracing-subscriber/latest/tracing_subscriber/filter/struct.EnvFilter.html#directives +# +# **Caveat**: +# For release builds, the tracing crate is configured to only implement +# levels higher than error to avoid unnecessary overhead in the compiled +# binary from trace macros. For debug builds, this restriction is not +# applied. +# +log = {{ matrix_conduwuit_config_log | to_json }} + +# Output logs with ANSI colours. +# +#log_colors = true + +# Configures the span events which will be outputted with the log. +# +#log_span_events = "none" + +# Configures whether CONDUWUIT_LOG EnvFilter matches values using regular +# expressions. See the tracing_subscriber documentation on Directives. +# +#log_filter_regex = true + +# Toggles the display of ThreadId in tracing log output. +# +#log_thread_ids = false + +# OpenID token expiration/TTL in seconds. +# +# These are the OpenID tokens that are primarily used for Matrix account +# integrations (e.g. Vector Integrations in Element), *not* OIDC/OpenID +# Connect/etc. +# +#openid_token_ttl = 3600 + +# Allow an existing session to mint a login token for another client. +# This requires interactive authentication, but has security ramifications +# as a malicious client could use the mechanism to spawn more than one +# session. +# Enabled by default. +# +#login_via_existing_session = true -turn_uris = {{ matrix_conduwuit_turn_uris | to_json }} +# Login token expiration/TTL in milliseconds. +# +# These are short-lived tokens for the m.login.token endpoint. +# This is used to allow existing sessions to create new sessions. +# see login_via_existing_session. +# +#login_token_ttl = 120000 -{% if matrix_conduwuit_turn_secret != '' %} -turn_secret = {{ matrix_conduwuit_turn_secret | to_json }} +# Static TURN username to provide the client if not using a shared secret +# ("turn_secret"), It is recommended to use a shared secret over static +# credentials. +# +#turn_username = false + +# Static TURN password to provide the client if not using a shared secret +# ("turn_secret"). It is recommended to use a shared secret over static +# credentials. +# +#turn_password = false + +# Vector list of TURN URIs/servers to use. +# +# Replace "example.turn.uri" with your TURN domain, such as the coturn +# "realm" config option. If using TURN over TLS, replace the URI prefix +# "turn:" with "turns:". +# +# example: ["turn:example.turn.uri?transport=udp", +# "turn:example.turn.uri?transport=tcp"] +# +turn_uris = {{ matrix_conduwuit_config_turn_uris | to_json }} + +# TURN secret to use for generating the HMAC-SHA1 hash apart of username +# and password generation. +# +# This is more secure, but if needed you can use traditional static +# username/password credentials. +# +#turn_secret = false +{% if matrix_conduwuit_config_turn_secret != '' %} +turn_secret = {{ matrix_conduwuit_config_turn_secret | to_json }} {% endif %} # If you have your TURN server configured to use a username and password # you can provide these information too. In this case comment out `turn_secret above`! -{% if matrix_conduwuit_turn_username != '' or matrix_conduwuit_turn_password != '' %} -turn_username = {{ matrix_conduwuit_turn_username | to_json }} -turn_password = {{ matrix_conduwuit_turn_password | to_json }} +{% if matrix_conduwuit_config_turn_username != '' or matrix_conduwuit_config_turn_password != '' %} +turn_username = {{ matrix_conduwuit_config_turn_username | to_json }} +turn_password = {{ matrix_conduwuit_config_turn_password | to_json }} {% endif %} + +# TURN secret to use that's read from the file path specified. +# +# This takes priority over "turn_secret" first, and falls back to +# "turn_secret" if invalid or failed to open. +# +# example: "/etc/conduwuit/.turn_secret" +# +#turn_secret_file = + +# TURN TTL, in seconds. +# +#turn_ttl = 86400 + +# List/vector of room IDs or room aliases that conduwuit will make newly +# registered users join. The rooms specified must be rooms that you have +# joined at least once on the server, and must be public. +# +# example: ["#conduwuit:puppygock.gay", +# "!eoIzvAvVwY23LPDay8:puppygock.gay"] +# +#auto_join_rooms = [] + +# Config option to automatically deactivate the account of any user who +# attempts to join a: +# - banned room +# - forbidden room alias +# - room alias or ID with a forbidden server name +# +# This may be useful if all your banned lists consist of toxic rooms or +# servers that no good faith user would ever attempt to join, and +# to automatically remediate the problem without any admin user +# intervention. +# +# This will also make the user leave all rooms. Federation (e.g. remote +# room invites) are ignored here. +# +# Defaults to false as rooms can be banned for non-moderation-related +# reasons and this performs a full user deactivation. +# +#auto_deactivate_banned_room_attempts = false + +# RocksDB log level. This is not the same as conduwuit's log level. This +# is the log level for the RocksDB engine/library which show up in your +# database folder/path as `LOG` files. conduwuit will log RocksDB errors +# as normal through tracing or panics if severe for safety. +# +#rocksdb_log_level = "error" + +# This item is undocumented. Please contribute documentation for it. +# +#rocksdb_log_stderr = false + +# Max RocksDB `LOG` file size before rotating in bytes. Defaults to 4MB in +# bytes. +# +#rocksdb_max_log_file_size = 4194304 + +# Time in seconds before RocksDB will forcibly rotate logs. +# +#rocksdb_log_time_to_roll = 0 + +# Set this to true to use RocksDB config options that are tailored to HDDs +# (slower device storage). +# +# It is worth noting that by default, conduwuit will use RocksDB with +# Direct IO enabled. *Generally* speaking this improves performance as it +# bypasses buffered I/O (system page cache). However there is a potential +# chance that Direct IO may cause issues with database operations if your +# setup is uncommon. This has been observed with FUSE filesystems, and +# possibly ZFS filesystem. RocksDB generally deals/corrects these issues +# but it cannot account for all setups. If you experience any weird +# RocksDB issues, try enabling this option as it turns off Direct IO and +# feel free to report in the conduwuit Matrix room if this option fixes +# your DB issues. +# +# For more information, see: +# https://github.com/facebook/rocksdb/wiki/Direct-IO +# +#rocksdb_optimize_for_spinning_disks = false + +# Enables direct-io to increase database performance via unbuffered I/O. +# +# For more details about direct I/O and RockDB, see: +# https://github.com/facebook/rocksdb/wiki/Direct-IO +# +# Set this option to false if the database resides on a filesystem which +# does not support direct-io like FUSE, or any form of complex filesystem +# setup such as possibly ZFS. +# +#rocksdb_direct_io = true + +# Amount of threads that RocksDB will use for parallelism on database +# operations such as cleanup, sync, flush, compaction, etc. Set to 0 to +# use all your logical threads. Defaults to your CPU logical thread count. +# +#rocksdb_parallelism_threads = varies by system + +# Maximum number of LOG files RocksDB will keep. This must *not* be set to +# 0. It must be at least 1. Defaults to 3 as these are not very useful +# unless troubleshooting/debugging a RocksDB bug. +# +#rocksdb_max_log_files = 3 + +# Type of RocksDB database compression to use. +# +# Available options are "zstd", "zlib", "bz2", "lz4", or "none". +# +# It is best to use ZSTD as an overall good balance between +# speed/performance, storage, IO amplification, and CPU usage. For more +# performance but less compression (more storage used) and less CPU usage, +# use LZ4. +# +# For more details, see: +# https://github.com/facebook/rocksdb/wiki/Compression +# +# "none" will disable compression. +# +#rocksdb_compression_algo = "zstd" + +# Level of compression the specified compression algorithm for RocksDB to +# use. +# +# Default is 32767, which is internally read by RocksDB as the default +# magic number and translated to the library's default compression level +# as they all differ. See their `kDefaultCompressionLevel`. +# +#rocksdb_compression_level = 32767 + +# Level of compression the specified compression algorithm for the +# bottommost level/data for RocksDB to use. Default is 32767, which is +# internally read by RocksDB as the default magic number and translated to +# the library's default compression level as they all differ. See their +# `kDefaultCompressionLevel`. +# +# Since this is the bottommost level (generally old and least used data), +# it may be desirable to have a very high compression level here as it's +# less likely for this data to be used. Research your chosen compression +# algorithm. +# +#rocksdb_bottommost_compression_level = 32767 + +# Whether to enable RocksDB's "bottommost_compression". +# +# At the expense of more CPU usage, this will further compress the +# database to reduce more storage. It is recommended to use ZSTD +# compression with this for best compression results. This may be useful +# if you're trying to reduce storage usage from the database. +# +# See https://github.com/facebook/rocksdb/wiki/Compression for more details. +# +#rocksdb_bottommost_compression = false + +# Database recovery mode (for RocksDB WAL corruption). +# +# Use this option when the server reports corruption and refuses to start. +# Set mode 2 (PointInTime) to cleanly recover from this corruption. The +# server will continue from the last good state, several seconds or +# minutes prior to the crash. Clients may have to run "clear-cache & +# reload" to account for the rollback. Upon success, you may reset the +# mode back to default and restart again. Please note in some cases the +# corruption error may not be cleared for at least 30 minutes of operation +# in PointInTime mode. +# +# As a very last ditch effort, if PointInTime does not fix or resolve +# anything, you can try mode 3 (SkipAnyCorruptedRecord) but this will +# leave the server in a potentially inconsistent state. +# +# The default mode 1 (TolerateCorruptedTailRecords) will automatically +# drop the last entry in the database if corrupted during shutdown, but +# nothing more. It is extraordinarily unlikely this will desynchronize +# clients. To disable any form of silent rollback set mode 0 +# (AbsoluteConsistency). +# +# The options are: +# 0 = AbsoluteConsistency +# 1 = TolerateCorruptedTailRecords (default) +# 2 = PointInTime (use me if trying to recover) +# 3 = SkipAnyCorruptedRecord (you now voided your Conduwuit warranty) +# +# For more information on these modes, see: +# https://github.com/facebook/rocksdb/wiki/WAL-Recovery-Modes +# +# For more details on recovering a corrupt database, see: +# https://conduwuit.puppyirl.gay/troubleshooting.html#database-corruption +# +#rocksdb_recovery_mode = 1 + +# Enables or disables paranoid SST file checks. This can improve RocksDB +# database consistency at a potential performance impact due to further +# safety checks ran. +# +# For more information, see: +# https://github.com/facebook/rocksdb/wiki/Online-Verification#columnfamilyoptionsparanoid_file_checks +# +#rocksdb_paranoid_file_checks = false + +# Database repair mode (for RocksDB SST corruption). +# +# Use this option when the server reports corruption while running or +# panics. If the server refuses to start use the recovery mode options +# first. Corruption errors containing the acronym 'SST' which occur after +# startup will likely require this option. +# +# - Backing up your database directory is recommended prior to running the +# repair. +# +# - Disabling repair mode and restarting the server is recommended after +# running the repair. +# +# See https://conduwuit.puppyirl.gay/troubleshooting.html#database-corruption for more details on recovering a corrupt database. +# +#rocksdb_repair = false + +# This item is undocumented. Please contribute documentation for it. +# +#rocksdb_read_only = false + +# This item is undocumented. Please contribute documentation for it. +# +#rocksdb_secondary = false + +# Enables idle CPU priority for compaction thread. This is not enabled by +# default to prevent compaction from falling too far behind on busy +# systems. +# +#rocksdb_compaction_prio_idle = false + +# Enables idle IO priority for compaction thread. This prevents any +# unexpected lag in the server's operation and is usually a good idea. +# Enabled by default. +# +#rocksdb_compaction_ioprio_idle = true + +# Disables RocksDB compaction. You should never ever have to set this +# option to true. If you for some reason find yourself needing to use this +# option as part of troubleshooting or a bug, please reach out to us in +# the conduwuit Matrix room with information and details. +# +# Disabling compaction will lead to a significantly bloated and +# explosively large database, gradually poor performance, unnecessarily +# excessive disk read/writes, and slower shutdowns and startups. +# +#rocksdb_compaction = true + +# Level of statistics collection. Some admin commands to display database +# statistics may require this option to be set. Database performance may +# be impacted by higher settings. +# +# Option is a number ranging from 0 to 6: +# 0 = No statistics. +# 1 = No statistics in release mode (default). +# 2 to 3 = Statistics with no performance impact. +# 3 to 5 = Statistics with possible performance impact. +# 6 = All statistics. +# +#rocksdb_stats_level = 1 + +# This is a password that can be configured that will let you login to the +# server bot account (currently `@conduit`) for emergency troubleshooting +# purposes such as recovering/recreating your admin room, or inviting +# yourself back. +# +# See https://conduwuit.puppyirl.gay/troubleshooting.html#lost-access-to-admin-room for other ways to get back into your admin room. +# +# Once this password is unset, all sessions will be logged out for +# security purposes. +# +# example: "F670$2CP@Hw8mG7RY1$%!#Ic7YA" +# +emergency_password = {{ matrix_conduwuit_config_emergency_password | to_json }} + +# This item is undocumented. Please contribute documentation for it. +# +#notification_push_path = "/_matrix/push/v1/notify" + +# Allow local (your server only) presence updates/requests. +# +# Note that presence on conduwuit is very fast unlike Synapse's. If using +# outgoing presence, this MUST be enabled. +# +#allow_local_presence = true + +# Allow incoming federated presence updates/requests. +# +# This option receives presence updates from other servers, but does not +# send any unless `allow_outgoing_presence` is true. Note that presence on +# conduwuit is very fast unlike Synapse's. +# +#allow_incoming_presence = true + +# Allow outgoing presence updates/requests. +# +# This option sends presence updates to other servers, but does not +# receive any unless `allow_incoming_presence` is true. Note that presence +# on conduwuit is very fast unlike Synapse's. If using outgoing presence, +# you MUST enable `allow_local_presence` as well. +# +#allow_outgoing_presence = true + +# How many seconds without presence updates before you become idle. +# Defaults to 5 minutes. +# +#presence_idle_timeout_s = 300 + +# How many seconds without presence updates before you become offline. +# Defaults to 30 minutes. +# +#presence_offline_timeout_s = 1800 + +# Enable the presence idle timer for remote users. +# +# Disabling is offered as an optimization for servers participating in +# many large rooms or when resources are limited. Disabling it may cause +# incorrect presence states (i.e. stuck online) to be seen for some remote +# users. +# +#presence_timeout_remote_users = true + +# Allow receiving incoming read receipts from remote servers. +# +#allow_incoming_read_receipts = true + +# Allow sending read receipts to remote servers. +# +#allow_outgoing_read_receipts = true + +# Allow outgoing typing updates to federation. +# +#allow_outgoing_typing = true + +# Allow incoming typing updates from federation. +# +#allow_incoming_typing = true + +# Maximum time federation user can indicate typing. +# +#typing_federation_timeout_s = 30 + +# Minimum time local client can indicate typing. This does not override a +# client's request to stop typing. It only enforces a minimum value in +# case of no stop request. +# +#typing_client_timeout_min_s = 15 + +# Maximum time local client can indicate typing. +# +#typing_client_timeout_max_s = 45 + +# Set this to true for conduwuit to compress HTTP response bodies using +# zstd. This option does nothing if conduwuit was not built with +# `zstd_compression` feature. Please be aware that enabling HTTP +# compression may weaken TLS. Most users should not need to enable this. +# See https://breachattack.com/ and https://wikipedia.org/wiki/BREACH +# before deciding to enable this. +# +#zstd_compression = false + +# Set this to true for conduwuit to compress HTTP response bodies using +# gzip. This option does nothing if conduwuit was not built with +# `gzip_compression` feature. Please be aware that enabling HTTP +# compression may weaken TLS. Most users should not need to enable this. +# See https://breachattack.com/ and https://wikipedia.org/wiki/BREACH before +# deciding to enable this. +# +# If you are in a large amount of rooms, you may find that enabling this +# is necessary to reduce the significantly large response bodies. +# +#gzip_compression = false + +# Set this to true for conduwuit to compress HTTP response bodies using +# brotli. This option does nothing if conduwuit was not built with +# `brotli_compression` feature. Please be aware that enabling HTTP +# compression may weaken TLS. Most users should not need to enable this. +# See https://breachattack.com/ and https://wikipedia.org/wiki/BREACH +# before deciding to enable this. +# +#brotli_compression = false + +# Set to true to allow user type "guest" registrations. Some clients like +# Element attempt to register guest users automatically. +# +#allow_guest_registration = false + +# Set to true to log guest registrations in the admin room. Note that +# these may be noisy or unnecessary if you're a public homeserver. +# +#log_guest_registrations = false + +# Set to true to allow guest registrations/users to auto join any rooms +# specified in `auto_join_rooms`. +# +#allow_guests_auto_join_rooms = false + +# Enable the legacy unauthenticated Matrix media repository endpoints. +# These endpoints consist of: +# - /_matrix/media/*/config +# - /_matrix/media/*/upload +# - /_matrix/media/*/preview_url +# - /_matrix/media/*/download/* +# - /_matrix/media/*/thumbnail/* +# +# The authenticated equivalent endpoints are always enabled. +# +# Defaults to true for now, but this is highly subject to change, likely +# in the next release. +# +#allow_legacy_media = true + +# This item is undocumented. Please contribute documentation for it. +# +#freeze_legacy_media = true + +# Check consistency of the media directory at startup: +# 1. When `media_compat_file_link` is enabled, this check will upgrade +# media when switching back and forth between Conduit and conduwuit. +# Both options must be enabled to handle this. +# 2. When media is deleted from the directory, this check will also delete +# its database entry. +# +# If none of these checks apply to your use cases, and your media +# directory is significantly large setting this to false may reduce +# startup time. +# +#media_startup_check = true + +# Enable backward-compatibility with Conduit's media directory by creating +# symlinks of media. +# +# This option is only necessary if you plan on using Conduit again. +# Otherwise setting this to false reduces filesystem clutter and overhead +# for managing these symlinks in the directory. This is now disabled by +# default. You may still return to upstream Conduit but you have to run +# conduwuit at least once with this set to true and allow the +# media_startup_check to take place before shutting down to return to +# Conduit. +# +#media_compat_file_link = false + +# Prune missing media from the database as part of the media startup +# checks. +# +# This means if you delete files from the media directory the +# corresponding entries will be removed from the database. This is +# disabled by default because if the media directory is accidentally moved +# or inaccessible, the metadata entries in the database will be lost with +# sadness. +# +#prune_missing_media = false + +# Vector list of servers that conduwuit will refuse to download remote +# media from. +# +#prevent_media_downloads_from = [] + +# List of forbidden server names that we will block incoming AND outgoing +# federation with, and block client room joins / remote user invites. +# +# This check is applied on the room ID, room alias, sender server name, +# sender user's server name, inbound federation X-Matrix origin, and +# outbound federation handler. +# +# Basically "global" ACLs. +# +#forbidden_remote_server_names = [] + +# List of forbidden server names that we will block all outgoing federated +# room directory requests for. Useful for preventing our users from +# wandering into bad servers or spaces. +# +#forbidden_remote_room_directory_server_names = [] + +# Vector list of IPv4 and IPv6 CIDR ranges / subnets *in quotes* that you +# do not want conduwuit to send outbound requests to. Defaults to +# RFC1918, unroutable, loopback, multicast, and testnet addresses for +# security. +# +# Please be aware that this is *not* a guarantee. You should be using a +# firewall with zones as doing this on the application layer may have +# bypasses. +# +# Currently this does not account for proxies in use like Synapse does. +# +# To disable, set this to be an empty vector (`[]`). +# +# Defaults to: +# ["127.0.0.0/8", "10.0.0.0/8", "172.16.0.0/12", +# "192.168.0.0/16", "100.64.0.0/10", "192.0.0.0/24", "169.254.0.0/16", +# "192.88.99.0/24", "198.18.0.0/15", "192.0.2.0/24", "198.51.100.0/24", +# "203.0.113.0/24", "224.0.0.0/4", "::1/128", "fe80::/10", "fc00::/7", +# "2001:db8::/32", "ff00::/8", "fec0::/10"] +# +#ip_range_denylist = + +# Optional IP address or network interface-name to bind as the source of +# URL preview requests. If not set, it will not bind to a specific +# address or interface. +# +# Interface names only supported on Linux, Android, and Fuchsia platforms; +# all other platforms can specify the IP address. To list the interfaces +# on your system, use the command `ip link show`. +# +# example: `"eth0"` or `"1.2.3.4"` +# +#url_preview_bound_interface = + +# Vector list of domains allowed to send requests to for URL previews. +# +# This is a *contains* match, not an explicit match. Putting "google.com" +# will match "https://google.com" and +# "http://mymaliciousdomainexamplegoogle.com" Setting this to "*" will +# allow all URL previews. Please note that this opens up significant +# attack surface to your server, you are expected to be aware of the risks +# by doing so. +# +#url_preview_domain_contains_allowlist = [] + +# Vector list of explicit domains allowed to send requests to for URL +# previews. +# +# This is an *explicit* match, not a contains match. Putting "google.com" +# will match "https://google.com", "http://google.com", but not +# "https://mymaliciousdomainexamplegoogle.com". Setting this to "*" will +# allow all URL previews. Please note that this opens up significant +# attack surface to your server, you are expected to be aware of the risks +# by doing so. +# +#url_preview_domain_explicit_allowlist = [] + +# Vector list of explicit domains not allowed to send requests to for URL +# previews. +# +# This is an *explicit* match, not a contains match. Putting "google.com" +# will match "https://google.com", "http://google.com", but not +# "https://mymaliciousdomainexamplegoogle.com". The denylist is checked +# first before allowlist. Setting this to "*" will not do anything. +# +#url_preview_domain_explicit_denylist = [] + +# Vector list of URLs allowed to send requests to for URL previews. +# +# Note that this is a *contains* match, not an explicit match. Putting +# "google.com" will match "https://google.com/", +# "https://google.com/url?q=https://mymaliciousdomainexample.com", and +# "https://mymaliciousdomainexample.com/hi/google.com" Setting this to "*" +# will allow all URL previews. Please note that this opens up significant +# attack surface to your server, you are expected to be aware of the risks +# by doing so. +# +#url_preview_url_contains_allowlist = [] + +# Maximum amount of bytes allowed in a URL preview body size when +# spidering. Defaults to 256KB in bytes. +# +#url_preview_max_spider_size = 256000 + +# Option to decide whether you would like to run the domain allowlist +# checks (contains and explicit) on the root domain or not. Does not apply +# to URL contains allowlist. Defaults to false. +# +# Example usecase: If this is enabled and you have "wikipedia.org" allowed +# in the explicit and/or contains domain allowlist, it will allow all +# subdomains under "wikipedia.org" such as "en.m.wikipedia.org" as the +# root domain is checked and matched. Useful if the domain contains +# allowlist is still too broad for you but you still want to allow all the +# subdomains under a root domain. +# +#url_preview_check_root_domain = false + +# List of forbidden room aliases and room IDs as strings of regex +# patterns. +# +# Regex can be used or explicit contains matches can be done by just +# specifying the words (see example). +# +# This is checked upon room alias creation, custom room ID creation if +# used, and startup as warnings if any room aliases in your database have +# a forbidden room alias/ID. +# +# example: ["19dollarfortnitecards", "b[4a]droom"] +# +#forbidden_alias_names = [] + +# List of forbidden username patterns/strings. +# +# Regex can be used or explicit contains matches can be done by just +# specifying the words (see example). +# +# This is checked upon username availability check, registration, and +# startup as warnings if any local users in your database have a forbidden +# username. +# +# example: ["administrator", "b[a4]dusernam[3e]"] +# +#forbidden_usernames = [] + +# Retry failed and incomplete messages to remote servers immediately upon +# startup. This is called bursting. If this is disabled, said messages may +# not be delivered until more messages are queued for that server. Do not +# change this option unless server resources are extremely limited or the +# scale of the server's deployment is huge. Do not disable this unless you +# know what you are doing. +# +#startup_netburst = true + +# Messages are dropped and not reattempted. The `startup_netburst` option +# must be enabled for this value to have any effect. Do not change this +# value unless you know what you are doing. Set this value to -1 to +# reattempt every message without trimming the queues; this may consume +# significant disk. Set this value to 0 to drop all messages without any +# attempt at redelivery. +# +#startup_netburst_keep = 50 + +# Block non-admin local users from sending room invites (local and +# remote), and block non-admin users from receiving remote room invites. +# +# Admins are always allowed to send and receive all room invites. +# +#block_non_admin_invites = false + +# Allow admins to enter commands in rooms other than "#admins" (admin +# room) by prefixing your message with "\!admin" or "\\!admin" followed up +# a normal conduwuit admin command. The reply will be publicly visible to +# the room, originating from the sender. +# +# example: \\!admin debug ping puppygock.gay +# +#admin_escape_commands = true + +# Automatically activate the conduwuit admin room console / CLI on +# startup. This option can also be enabled with `--console` conduwuit +# argument. +# +#admin_console_automatic = false + +# List of admin commands to execute on startup. +# +# This option can also be configured with the `--execute` conduwuit +# argument and can take standard shell commands and environment variables +# +# For example: `./conduwuit --execute "server admin-notice conduwuit has +# started up at $(date)"` +# +# example: admin_execute = ["debug ping puppygock.gay", "debug echo hi"]` +# +#admin_execute = [] + +# Ignore errors in startup commands. +# +# If false, conduwuit will error and fail to start if an admin execute +# command (`--execute` / `admin_execute`) fails. +# +#admin_execute_errors_ignore = false + +# Controls the max log level for admin command log captures (logs +# generated from running admin commands). Defaults to "info" on release +# builds, else "debug" on debug builds. +# +#admin_log_capture = "info" + +# The default room tag to apply on the admin room. +# +# On some clients like Element, the room tag "m.server_notice" is a +# special pinned room at the very bottom of your room list. The conduwuit +# admin room can be pinned here so you always have an easy-to-access +# shortcut dedicated to your admin room. +# +#admin_room_tag = "m.server_notice" + +# Sentry.io crash/panic reporting, performance monitoring/metrics, etc. +# This is NOT enabled by default. conduwuit's default Sentry reporting +# endpoint domain is `o4506996327251968.ingest.us.sentry.io`. +# +#sentry = false + +# Sentry reporting URL, if a custom one is desired. +# +#sentry_endpoint = "https://fe2eb4536aa04949e28eff3128d64757@o4506996327251968.ingest.us.sentry.io/4506996334657536" + +# Report your conduwuit server_name in Sentry.io crash reports and +# metrics. +# +#sentry_send_server_name = false + +# Performance monitoring/tracing sample rate for Sentry.io. +# +# Note that too high values may impact performance, and can be disabled by +# setting it to 0.0 (0%) This value is read as a percentage to Sentry, +# represented as a decimal. Defaults to 15% of traces (0.15) +# +#sentry_traces_sample_rate = 0.15 + +# Whether to attach a stacktrace to Sentry reports. +# +#sentry_attach_stacktrace = false + +# Send panics to Sentry. This is true by default, but Sentry has to be +# enabled. The global `sentry` config option must be enabled to send any +# data. +# +#sentry_send_panic = true + +# Send errors to sentry. This is true by default, but sentry has to be +# enabled. This option is only effective in release-mode; forced to false +# in debug-mode. +# +#sentry_send_error = true + +# Controls the tracing log level for Sentry to send things like +# breadcrumbs and transactions +# +#sentry_filter = "info" + +# Enable the tokio-console. This option is only relevant to developers. +# +# For more information, see: +# https://conduwuit.puppyirl.gay/development.html#debugging-with-tokio-console +# +#tokio_console = false + +# This item is undocumented. Please contribute documentation for it. +# +#test = false + +# Controls whether admin room notices like account registrations, password +# changes, account deactivations, room directory publications, etc will be +# sent to the admin room. Update notices and normal admin command +# responses will still be sent. +# +#admin_room_notices = true + +# Enable database pool affinity support. On supporting systems, block +# device queue topologies are detected and the request pool is optimized +# for the hardware; db_pool_workers is determined automatically. +# +#db_pool_affinity = true + +# Sets the number of worker threads in the frontend-pool of the database. +# This number should reflect the I/O capabilities of the system, +# such as the queue-depth or the number of simultaneous requests in +# flight. Defaults to 32 or four times the number of CPU cores, whichever +# is greater. +# +# Note: This value is only used if db_pool_affinity is disabled or not +# detected on the system, otherwise it is determined automatically. +# +#db_pool_workers = 32 + +# When db_pool_affinity is enabled and detected, the size of any worker +# group will not exceed the determined value. This is necessary when +# thread-pooling approach does not scale to the full capabilities of +# high-end hardware; using detected values without limitation could +# degrade performance. +# +# The value is multiplied by the number of cores which share a device +# queue, since group workers can be scheduled on any of those cores. +# +#db_pool_workers_limit = 64 + +# Determines the size of the queues feeding the database's frontend-pool. +# The size of the queue is determined by multiplying this value with the +# number of pool workers. When this queue is full, tokio tasks conducting +# requests will yield until space is available; this is good for +# flow-control by avoiding buffer-bloat, but can inhibit throughput if +# too low. +# +#db_pool_queue_mult = 4 + +# Sets the initial value for the concurrency of streams. This value simply +# allows overriding the default in the code. The default is 32, which is +# the same as the default in the code. Note this value is itself +# overridden by the computed stream_width_scale, unless that is disabled; +# this value can serve as a fixed-width instead. +# +#stream_width_default = 32 + +# Scales the stream width starting from a base value detected for the +# specific system. The base value is the database pool worker count +# determined from the hardware queue size (e.g. 32 for SSD or 64 or 128+ +# for NVMe). This float allows scaling the width up or down by multiplying +# it (e.g. 1.5, 2.0, etc). The maximum result can be the size of the pool +# queue (see: db_pool_queue_mult) as any larger value will stall the tokio +# task. The value can also be scaled down (e.g. 0.5) to improve +# responsiveness for many users at the cost of throughput for each. +# +# Setting this value to 0.0 causes the stream width to be fixed at the +# value of stream_width_default. The default scale is 1.0 to match the +# capabilities detected for the system. +# +#stream_width_scale = 1.0 + +# Sets the initial amplification factor. This controls batch sizes of +# requests made by each pool worker, multiplying the throughput of each +# stream. This value is somewhat abstract from specific hardware +# characteristics and can be significantly larger than any thread count or +# queue size. This is because each database query may require several +# index lookups, thus many database queries in a batch may make progress +# independently while also sharing index and data blocks which may or may +# not be cached. It is worthwhile to submit huge batches to reduce +# complexity. The maximum value is 32768, though sufficient hardware is +# still advised for that. +# +#stream_amplification = 1024 + +# Number of sender task workers; determines sender parallelism. Default is +# '0' which means the value is determined internally, likely matching the +# number of tokio worker-threads or number of cores, etc. Override by +# setting a non-zero value. +# +#sender_workers = 0 + +[global.well_known] + +# The server URL that the client well-known file will serve. This should +# not contain a port, and should just be a valid HTTPS URL. +# +# example: "https://matrix.example.com" +# +#client = + +# The server base domain of the URL with a specific port that the server +# well-known file will serve. This should contain a port at the end, and +# should not be a URL. +# +# example: "matrix.example.com:443" +# +#server = + +# This item is undocumented. Please contribute documentation for it. +# +#support_page = + +# This item is undocumented. Please contribute documentation for it. +# +#support_role = + +# This item is undocumented. Please contribute documentation for it. +# +#support_email = + +# This item is undocumented. Please contribute documentation for it. +# +#support_mxid = diff --git a/roles/custom/matrix-conduwuit/templates/env.j2 b/roles/custom/matrix-conduwuit/templates/env.j2 new file mode 100644 index 000000000..026bfe308 --- /dev/null +++ b/roles/custom/matrix-conduwuit/templates/env.j2 @@ -0,0 +1 @@ +{{ matrix_conduwuit_environment_variables_extension }} diff --git a/roles/custom/matrix-conduwuit/templates/labels.j2 b/roles/custom/matrix-conduwuit/templates/labels.j2 index 13ab1487c..9ef9db4f8 100644 --- a/roles/custom/matrix-conduwuit/templates/labels.j2 +++ b/roles/custom/matrix-conduwuit/templates/labels.j2 @@ -5,7 +5,7 @@ traefik.enable=true traefik.docker.network={{ matrix_conduwuit_container_labels_traefik_docker_network }} {% endif %} -traefik.http.services.matrix-conduwuit.loadbalancer.server.port={{ matrix_conduwuit_port_number }} +traefik.http.services.matrix-conduwuit.loadbalancer.server.port={{ matrix_conduwuit_config_port_number }} {% if matrix_conduwuit_container_labels_public_client_root_enabled %} @@ -129,6 +129,37 @@ traefik.http.routers.matrix-conduwuit-public-federation-api.tls.certResolver={{ {% endif %} + + +{% if matrix_conduwuit_container_labels_public_conduwuit_api_enabled %} +############################################################ +# # +# Public Conduwuit-API (/_conduwuit) # +# # +############################################################ + +traefik.http.routers.matrix-conduwuit-public-conduwuit-api.rule={{ matrix_conduwuit_container_labels_public_conduwuit_api_traefik_rule }} + +{% if matrix_conduwuit_container_labels_public_conduwuit_api_traefik_priority | int > 0 %} +traefik.http.routers.matrix-conduwuit-public-conduwuit-api.priority={{ matrix_conduwuit_container_labels_public_conduwuit_api_traefik_priority }} +{% endif %} + +traefik.http.routers.matrix-conduwuit-public-conduwuit-api.service=matrix-conduwuit +traefik.http.routers.matrix-conduwuit-public-conduwuit-api.entrypoints={{ matrix_conduwuit_container_labels_public_conduwuit_api_traefik_entrypoints }} + +traefik.http.routers.matrix-conduwuit-public-conduwuit-api.tls={{ matrix_conduwuit_container_labels_public_conduwuit_api_traefik_tls | to_json }} +{% if matrix_conduwuit_container_labels_public_conduwuit_api_traefik_tls %} +traefik.http.routers.matrix-conduwuit-public-conduwuit-api.tls.certResolver={{ matrix_conduwuit_container_labels_public_conduwuit_api_traefik_tls_certResolver }} +{% endif %} + +############################################################ +# # +# /Public Conduwuit-API (/_conduwuit) # +# # +############################################################ +{% endif %} + + {% endif %} {{ matrix_conduwuit_container_labels_additional_labels }} diff --git a/roles/custom/matrix-conduwuit/templates/systemd/matrix-conduwuit.service.j2 b/roles/custom/matrix-conduwuit/templates/systemd/matrix-conduwuit.service.j2 index 54b5cc7a5..5291e33a8 100644 --- a/roles/custom/matrix-conduwuit/templates/systemd/matrix-conduwuit.service.j2 +++ b/roles/custom/matrix-conduwuit/templates/systemd/matrix-conduwuit.service.j2 @@ -1,6 +1,6 @@ #jinja2: lstrip_blocks: "True" [Unit] -Description=Conduwuit Matrix homeserver +Description=conduwuit Matrix homeserver {% for service in matrix_conduwuit_systemd_required_services_list %} Requires={{ service }} After={{ service }} @@ -21,10 +21,10 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ --read-only \ --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_conduwuit_tmp_directory_size_mb }}m \ --network={{ matrix_conduwuit_container_network }} \ - --env conduwuit_CONFIG=/etc/matrix-conduwuit/conduwuit.toml \ + --env CONDUWUIT_CONFIG=/etc/conduwuit/conduwuit.toml \ --label-file={{ matrix_conduwuit_base_path }}/labels \ - --mount type=bind,src={{ matrix_conduwuit_data_path }},dst=/var/lib/matrix-conduwuit \ - --mount type=bind,src={{ matrix_conduwuit_config_path }},dst=/etc/matrix-conduwuit,ro \ + --mount type=bind,src={{ matrix_conduwuit_data_path }},dst=/var/lib/conduwuit \ + --mount type=bind,src={{ matrix_conduwuit_config_path }},dst=/etc/conduwuit,ro \ {% for arg in matrix_conduwuit_container_extra_arguments %} {{ arg }} \ {% endfor %} diff --git a/roles/custom/matrix-conduwuit/vars/main.yml b/roles/custom/matrix-conduwuit/vars/main.yml index 7d26a504b..02684574c 100644 --- a/roles/custom/matrix-conduwuit/vars/main.yml +++ b/roles/custom/matrix-conduwuit/vars/main.yml @@ -1,3 +1,4 @@ --- + matrix_conduwuit_client_api_url_endpoint_public: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}://{{ matrix_conduwuit_hostname }}/_matrix/client/versions" matrix_conduwuit_federation_api_url_endpoint_public: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}://{{ matrix_conduwuit_hostname }}:{{ matrix_federation_public_port }}/_matrix/federation/v1/version" diff --git a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml index 6e9b63d54..b3b792a78 100644 --- a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml +++ b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml @@ -302,14 +302,6 @@ - {'old': 'matrix_nginx_proxy_proxy_conduit_federation_api_addr_with_container', 'new': ''} - {'old': 'matrix_nginx_proxy_proxy_conduit_federation_api_addr_sans_container', 'new': ''} - {'old': 'matrix_nginx_proxy_proxy_conduit_additional_server_configuration_blocks', 'new': ''} - - {'old': 'matrix_nginx_proxy_proxy_conduwuit_enabled', 'new': 'matrix_conduwuit_container_labels_traefik_enabled'} - - {'old': 'matrix_nginx_proxy_proxy_conduwuit_block_federation_api_on_client_port', 'new': ''} - - {'old': 'matrix_nginx_proxy_proxy_conduwuit_federation_api_enabled', 'new': 'matrix_conduwuit_container_labels_public_federation_api_enabled'} - - {'old': 'matrix_nginx_proxy_proxy_conduwuit_client_api_addr_with_container', 'new': ''} - - {'old': 'matrix_nginx_proxy_proxy_conduwuit_client_api_addr_sans_container', 'new': ''} - - {'old': 'matrix_nginx_proxy_proxy_conduwuit_federation_api_addr_with_container', 'new': ''} - - {'old': 'matrix_nginx_proxy_proxy_conduwuit_federation_api_addr_sans_container', 'new': ''} - - {'old': 'matrix_nginx_proxy_proxy_conduwuit_additional_server_configuration_blocks', 'new': ''} - {'old': 'matrix_nginx_proxy_proxy_dendrite_enabled', 'new': 'matrix_dendrite_container_labels_traefik_enabled'} - {'old': 'matrix_nginx_proxy_proxy_dendrite_block_federation_api_on_client_port', 'new': ''} - {'old': 'matrix_nginx_proxy_proxy_dendrite_federation_api_enabled', 'new': 'matrix_dendrite_container_labels_public_federation_api_enabled'} From 1fe8b4975580ee4e399f23eabbf4b63f19298b73 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 19 Jan 2025 16:15:36 +0200 Subject: [PATCH 08/10] Mention Conduwuit in a few more places in the documentation Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/3967 --- docs/configuring-playbook.md | 2 ++ docs/container-images.md | 1 + docs/howto-srv-server-delegation.md | 2 +- 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 2325aea66..98d182122 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -35,6 +35,8 @@ For a more custom setup, see the [Other configuration options](#other-configurat - [Configuring Conduit](configuring-playbook-conduit.md), if you've switched to the [Conduit](https://conduit.rs) homeserver implementation + - [Configuring Conduwuit](configuring-playbook-conduwuit.md), if you've switched to the [Conduwuit](https://conduwuit.puppyirl.gay/) homeserver implementation + - [Configuring Dendrite](configuring-playbook-dendrite.md), if you've switched to the [Dendrite](https://matrix-org.github.io/dendrite) homeserver implementation - Server components: diff --git a/docs/container-images.md b/docs/container-images.md index e2fd67d1a..2a38b2bd4 100644 --- a/docs/container-images.md +++ b/docs/container-images.md @@ -10,6 +10,7 @@ We try to stick to official images (provided by their respective projects) as mu | ------- | --------------- | -------- | ----------- | | [Synapse](configuring-playbook-synapse.md) | [element-hq/synapse](https://ghcr.io/element-hq/synapse) | ✅ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network | | [Conduit](configuring-playbook-conduit.md) | [matrixconduit/matrix-conduit](https://hub.docker.com/r/matrixconduit/matrix-conduit) | ❌ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Conduit is a lightweight open-source server implementation of the Matrix Specification with a focus on easy setup and low system requirements | +| [Conduwuit](configuring-playbook-conduwuit.md) | [girlbossceo/conduwuit](https://ghcr.io/girlbossceo/conduwuit) | ❌ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Conduwuit is a fork of Conduit. | | [Dendrite](configuring-playbook-dendrite.md) | [matrixdotorg/dendrite-monolith](https://hub.docker.com/r/matrixdotorg/dendrite-monolith/) | ❌ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Dendrite is a second-generation Matrix homeserver written in Go, an alternative to Synapse. | ## Clients diff --git a/docs/howto-srv-server-delegation.md b/docs/howto-srv-server-delegation.md index 47659d624..7cf484712 100644 --- a/docs/howto-srv-server-delegation.md +++ b/docs/howto-srv-server-delegation.md @@ -18,7 +18,7 @@ The up-to-date list can be accessed on [traefik's documentation](https://doc.tra **Note**: the changes below instruct you how to do this for a basic Synapse installation. You will need to adapt the variable name and the content of the labels: -- if you're using another homeserver implementation (e.g. [Conduit](./configuring-playbook-conduit.md) or [Dendrite](./configuring-playbook-dendrite.md)) +- if you're using another homeserver implementation (e.g. [Conduit](./configuring-playbook-conduit.md), [Conduwuit](./configuring-playbook-conduwuit.md) or [Dendrite](./configuring-playbook-dendrite.md)) - if you're using [Synapse with workers enabled](./configuring-playbook-synapse.md#load-balancing-with-workers) (`matrix_synapse_workers_enabled: true`). In that case, it's actually the `matrix-synapse-reverse-proxy-companion` service which has Traefik labels attached Also, all instructions below are from an older version of the playbook and may not work anymore. From aafd2df066be9d657895d05c1d1dfcb45ad7a4c6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 19 Jan 2025 16:19:19 +0200 Subject: [PATCH 09/10] Announce Conduwuit support Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/3967 --- CHANGELOG.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index ebce4eaaa..a31ce22ff 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,18 @@ +# 2025-01-19 + +## Conduwuit support + +Thanks to [Virkkunen](https://github.com/Virkkunen), we now have optional experimental [Conduwuit](https://conduwuit.puppyirl.gay/) homeserver support for new installations. + +Conduwuit is a fork of [Conduit](./docs/configuring-playbook-conduit.md), which the playbook also supports. See [Differences from upstream Conduit](https://conduwuit.puppyirl.gay/differences.html). + +Existing installations do **not** need to be updated. **Synapse is still the default homeserver implementation** installed by the playbook. + +To try out Conduwuit, we recommend that you **use a new server**. Refer to our [Configuring Conduwuit](./docs/configuring-playbook-conduwuit.md) guide for details. + +**The homeserver implementation of an existing server cannot be changed** (e.g. from Synapse/Conduit/Dendrite to Conduwuit) without data loss. + + # 2025-01-14 ## (Backward Compatibility Break) Synapse v1.122.0 requires Postgres v13 From ba19e4d303e2e3c7f9c1ee8b9ba48ff55c3c3992 Mon Sep 17 00:00:00 2001 From: Catalan Lover Date: Sun, 19 Jan 2025 18:14:05 +0100 Subject: [PATCH 10/10] Replace Discharge with Disable In the context of disabling rate limits on an API its disable that is correct. We arent talking about controlling the discharge rate of a battery we dont want to blow up or harm. We are talking about matrix APIs and disabling the rate limiter on them. --- docs/configuring-playbook-bot-draupnir.md | 2 +- docs/configuring-playbook-bot-mjolnir.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/configuring-playbook-bot-draupnir.md b/docs/configuring-playbook-bot-draupnir.md index 58c15b1af..288cc4104 100644 --- a/docs/configuring-playbook-bot-draupnir.md +++ b/docs/configuring-playbook-bot-draupnir.md @@ -87,7 +87,7 @@ The APIs can also be accessed via [Synapse Admin](https://github.com/etkecc/syna **Note**: access to the APIs is restricted with a valid access token, so exposing them publicly should not be a real security concern. Still, doing so is not recommended for additional security. See [official Synapse reverse-proxying recommendations](https://element-hq.github.io/synapse/latest/reverse_proxy.html#synapse-administration-endpoints). -To discharge rate limiting, run the following command on systems that ship curl (note that it does not work on outdated Windows 10). Even if the APIs are not exposed to the internet, you should still be able to run the command on the homeserver locally. Before running it, make sure to replace `@bot.draupnir:example.com` with the MXID of your Draupnir: +To disable rate limiting, run the following command on systems that ship curl (note that it does not work on outdated Windows 10). Even if the APIs are not exposed to the internet, you should still be able to run the command on the homeserver locally. Before running it, make sure to replace `@bot.draupnir:example.com` with the MXID of your Draupnir: ```sh curl --header "Authorization: Bearer " -X POST https://matrix.example.com/_synapse/admin/v1/users/@bot.draupnir:example.com/override_ratelimit diff --git a/docs/configuring-playbook-bot-mjolnir.md b/docs/configuring-playbook-bot-mjolnir.md index c7a211491..2564cd2f9 100644 --- a/docs/configuring-playbook-bot-mjolnir.md +++ b/docs/configuring-playbook-bot-mjolnir.md @@ -42,7 +42,7 @@ The APIs can also be accessed via [Synapse Admin](https://github.com/etkecc/syna **Note**: access to the APIs is restricted with a valid access token, so exposing them publicly should not be a real security concern. Still, doing so is not recommended for additional security. See [official Synapse reverse-proxying recommendations](https://element-hq.github.io/synapse/latest/reverse_proxy.html#synapse-administration-endpoints). -To discharge rate limiting, run the following command on systems that ship curl (note that it does not work on outdated Windows 10). Even if the APIs are not exposed to the internet, you should still be able to run the command on the homeserver locally. Before running it, make sure to replace `@bot.mjolnir:example.com` with the MXID of your Mjolnir: +To disable rate limiting, run the following command on systems that ship curl (note that it does not work on outdated Windows 10). Even if the APIs are not exposed to the internet, you should still be able to run the command on the homeserver locally. Before running it, make sure to replace `@bot.mjolnir:example.com` with the MXID of your Mjolnir: ```sh curl --header "Authorization: Bearer " -X POST https://matrix.example.com/_synapse/admin/v1/users/@bot.mjolnir:example.com/override_ratelimit